[Asterisk-code-review] pjproject: fixed a few bugs (asterisk[master])
Anonymous Coward
asteriskteam at digium.com
Tue Aug 2 10:50:50 CDT 2016
Anonymous Coward #1000019 has submitted this change and it was merged.
Change subject: pjproject: fixed a few bugs
......................................................................
pjproject: fixed a few bugs
This patch fixes the issue in pjsip_tx_data_dec_ref()
when tx_data_destroy can be called more than once,
and checks if invalid value (e.g. NULL) is passed to.
This patch updates array limit checks and docs
in pjsip_evsub_register_pkg() and pjsip_endpt_add_capability().
Change-Id: I4c7a132b9664afaecbd6bf5ea4c951e43e273e40
---
A third-party/pjproject/patches/0001-r5397-pjsip_generic_array_max_count.patch
A third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
2 files changed, 82 insertions(+), 0 deletions(-)
Approvals:
George Joseph: Looks good to me, but someone else must approve
Anonymous Coward #1000019: Verified
Joshua Colp: Looks good to me, approved
diff --git a/third-party/pjproject/patches/0001-r5397-pjsip_generic_array_max_count.patch b/third-party/pjproject/patches/0001-r5397-pjsip_generic_array_max_count.patch
new file mode 100644
index 0000000..3cc328a
--- /dev/null
+++ b/third-party/pjproject/patches/0001-r5397-pjsip_generic_array_max_count.patch
@@ -0,0 +1,58 @@
+This patch updates array limit checks and docs
+in pjsip_evsub_register_pkg() and pjsip_endpt_add_capability().
+
+Index: pjsip/include/pjsip/sip_endpoint.h
+===================================================================
+--- a/pjsip/include/pjsip/sip_endpoint.h (revision 5396)
++++ b/pjsip/include/pjsip/sip_endpoint.h (revision 5397)
+@@ -583,7 +583,8 @@
+ * @param hname If htype specifies PJSIP_H_OTHER, then the header name
+ * must be supplied in this argument. Otherwise the value
+ * must be set to NULL.
+- * @param count The number of tags in the array.
++ * @param count The number of tags in the array. The value must not
++ * be greater than PJSIP_GENERIC_ARRAY_MAX_COUNT.
+ * @param tags Array of tags describing the capabilities or extensions
+ * to be added to the appropriate header.
+ *
+Index: pjsip/include/pjsip-simple/evsub.h
+===================================================================
+--- a/pjsip/include/pjsip-simple/evsub.h (revision 5396)
++++ b/pjsip/include/pjsip-simple/evsub.h (revision 5397)
+@@ -246,7 +246,8 @@
+ * registered.
+ * @param event_name Event package identification.
+ * @param expires Default subscription expiration time, in seconds.
+- * @param accept_cnt Number of strings in Accept array.
++ * @param accept_cnt Number of strings in Accept array. The value must
++ * not be greater than PJSIP_GENERIC_ARRAY_MAX_COUNT.
+ * @param accept Array of Accept value.
+ *
+ * @return PJ_SUCCESS on success.
+Index: pjsip/src/pjsip/sip_endpoint.c
+===================================================================
+--- a/pjsip/src/pjsip/sip_endpoint.c (revision 5396)
++++ b/pjsip/src/pjsip/sip_endpoint.c (revision 5397)
+@@ -371,6 +371,7 @@
+
+ /* Check arguments. */
+ PJ_ASSERT_RETURN(endpt!=NULL && count>0 && tags, PJ_EINVAL);
++ PJ_ASSERT_RETURN(count <= PJSIP_GENERIC_ARRAY_MAX_COUNT, PJ_ETOOMANY);
+ PJ_ASSERT_RETURN(htype==PJSIP_H_ACCEPT ||
+ htype==PJSIP_H_ALLOW ||
+ htype==PJSIP_H_SUPPORTED,
+Index: pjsip/src/pjsip-simple/evsub.c
+===================================================================
+--- a/pjsip/src/pjsip-simple/evsub.c (revision 5396)
++++ b/pjsip/src/pjsip-simple/evsub.c (revision 5397)
+@@ -412,7 +412,9 @@
+ unsigned i;
+
+ PJ_ASSERT_RETURN(pkg_mod && event_name, PJ_EINVAL);
+- PJ_ASSERT_RETURN(accept_cnt < PJ_ARRAY_SIZE(pkg->pkg_accept->values),
++
++ /* Make sure accept_cnt < PJ_ARRAY_SIZE(pkg->pkg_accept->values) */
++ PJ_ASSERT_RETURN(accept_cnt <= PJSIP_GENERIC_ARRAY_MAX_COUNT,
+ PJ_ETOOMANY);
+
+ /* Make sure evsub module has been initialized */
diff --git a/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
new file mode 100644
index 0000000..b5c11db
--- /dev/null
+++ b/third-party/pjproject/patches/0001-r5400-pjsip_tx_data_dec_ref.patch
@@ -0,0 +1,24 @@
+This patch fixes the issue in pjsip_tx_data_dec_ref()
+when tx_data_destroy can be called more than once,
+and checks if invalid value (e.g. NULL) is passed to.
+
+Index: pjsip/src/pjsip/sip_transport.c
+===================================================================
+--- a/pjsip/src/pjsip/sip_transport.c (revision 5399)
++++ b/pjsip/src/pjsip/sip_transport.c (revision 5400)
+@@ -491,8 +491,13 @@
+ */
+ PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata )
+ {
+- pj_assert( pj_atomic_get(tdata->ref_cnt) > 0);
+- if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) {
++ pj_atomic_value_t ref_cnt;
++
++ PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL);
++
++ ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt);
++ pj_assert( ref_cnt >= 0);
++ if (ref_cnt == 0) {
+ tx_data_destroy(tdata);
+ return PJSIP_EBUFDESTROYED;
+ } else {
--
To view, visit https://gerrit.asterisk.org/3364
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I4c7a132b9664afaecbd6bf5ea4c951e43e273e40
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Alexei Gradinari <alex2grad at gmail.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
More information about the asterisk-code-review
mailing list