<p>Kevin Harwell has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/11667">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">various modules: json integer overflow<br><br>There were still a few places in the code that could overflow when "packing"<br>a json object with a value outside the base type integer's range. For instance:<br><br>unsigned int value = INT_MAX + 1<br>ast_json_pack("{s: i}", value);<br><br>would result in a negative number being "packed". In those situations this patch<br>alters those values to a ast_json_int_t, which widens the value up to a long or<br>long long.<br><br>ASTERISK-28480<br><br>Change-Id: Ied530780d83e6f1772adba0e28d8938ef30c49a1<br>---<br>M apps/app_agent_pool.c<br>M apps/app_queue.c<br>M channels/chan_iax2.c<br>M funcs/func_talkdetect.c<br>M main/aoc.c<br>M main/ccss.c<br>M main/channel.c<br>M main/core_local.c<br>M main/rtp_engine.c<br>M main/stasis_channels.c<br>10 files changed, 38 insertions(+), 38 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/67/11667/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/apps/app_agent_pool.c b/apps/app_agent_pool.c</span><br><span>index 07040f6..b2068c1 100644</span><br><span>--- a/apps/app_agent_pool.c</span><br><span>+++ b/apps/app_agent_pool.c</span><br><span>@@ -1459,9 +1459,9 @@</span><br><span> </span><br><span> ast_assert(agent != NULL);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- blob = ast_json_pack("{s: s, s: i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ blob = ast_json_pack("{s: s, s: I}",</span><br><span> "agent", agent,</span><br><span style="color: hsl(0, 100%, 40%);">- "logintime", logintime);</span><br><span style="color: hsl(120, 100%, 40%);">+ "logintime", (ast_json_int_t)logintime);</span><br><span> if (!blob) {</span><br><span> return;</span><br><span> }</span><br><span>diff --git a/apps/app_queue.c b/apps/app_queue.c</span><br><span>index c5508e3..53ae2ba 100644</span><br><span>--- a/apps/app_queue.c</span><br><span>+++ b/apps/app_queue.c</span><br><span>@@ -5679,12 +5679,12 @@</span><br><span> break;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- blob = ast_json_pack("{s: s, s: s, s: s, s: i, s: i, s: s}",</span><br><span style="color: hsl(120, 100%, 40%);">+ blob = ast_json_pack("{s: s, s: s, s: s, s: I, s: I, s: s}",</span><br><span> "Queue", queuename,</span><br><span> "Interface", member->interface,</span><br><span> "MemberName", member->membername,</span><br><span style="color: hsl(0, 100%, 40%);">- "HoldTime", (long)(callstart - holdstart),</span><br><span style="color: hsl(0, 100%, 40%);">- "TalkTime", (long)(time(NULL) - callstart),</span><br><span style="color: hsl(120, 100%, 40%);">+ "HoldTime", (ast_json_int_t)(callstart - holdstart),</span><br><span style="color: hsl(120, 100%, 40%);">+ "TalkTime", (ast_json_int_t)(time(NULL) - callstart),</span><br><span> "Reason", reason ?: "");</span><br><span> </span><br><span> queue_publish_multi_channel_snapshot_blob(ast_queue_topic(queuename), caller, peer,</span><br><span>@@ -6955,12 +6955,12 @@</span><br><span> ast_queue_log(queuename, ast_channel_uniqueid(qe->chan), member->membername, "CONNECT", "%ld|%s|%ld", (long) (time(NULL) - qe->start), ast_channel_uniqueid(peer),</span><br><span> (long)(orig - to > 0 ? (orig - to) / 1000 : 0));</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- blob = ast_json_pack("{s: s, s: s, s: s, s: i, s: i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ blob = ast_json_pack("{s: s, s: s, s: s, s: I, s: I}",</span><br><span> "Queue", queuename,</span><br><span> "Interface", member->interface,</span><br><span> "MemberName", member->membername,</span><br><span style="color: hsl(0, 100%, 40%);">- "HoldTime", (long) (time(NULL) - qe->start),</span><br><span style="color: hsl(0, 100%, 40%);">- "RingTime", (long)(orig - to > 0 ? (orig - to) / 1000 : 0));</span><br><span style="color: hsl(120, 100%, 40%);">+ "HoldTime", (ast_json_int_t)(time(NULL) - qe->start),</span><br><span style="color: hsl(120, 100%, 40%);">+ "RingTime", (ast_json_int_t)(orig - to > 0 ? (orig - to) / 1000 : 0));</span><br><span> queue_publish_multi_channel_blob(qe->chan, peer, queue_agent_connect_type(), blob);</span><br><span> </span><br><span> ast_copy_string(oldcontext, ast_channel_context(qe->chan), sizeof(oldcontext));</span><br><span>diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c</span><br><span>index 43f7d2c..3bf06d0 100644</span><br><span>--- a/channels/chan_iax2.c</span><br><span>+++ b/channels/chan_iax2.c</span><br><span>@@ -11137,18 +11137,18 @@</span><br><span> if (iaxs[fr->callno]->pingtime <= peer->maxms) {</span><br><span> ast_log(LOG_NOTICE, "Peer '%s' is now REACHABLE! Time: %u\n", peer->name, iaxs[fr->callno]->pingtime);</span><br><span> ast_endpoint_set_state(peer->endpoint, AST_ENDPOINT_ONLINE);</span><br><span style="color: hsl(0, 100%, 40%);">- blob = ast_json_pack("{s: s, s: i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ blob = ast_json_pack("{s: s, s: I}",</span><br><span> "peer_status", "Reachable",</span><br><span style="color: hsl(0, 100%, 40%);">- "time", iaxs[fr->callno]->pingtime);</span><br><span style="color: hsl(120, 100%, 40%);">+ "time", (ast_json_int_t)iaxs[fr->callno]->pingtime);</span><br><span> ast_devstate_changed(AST_DEVICE_NOT_INUSE, AST_DEVSTATE_CACHABLE, "IAX2/%s", peer->name); /* Activate notification */</span><br><span> }</span><br><span> } else if ((peer->historicms > 0) && (peer->historicms <= peer->maxms)) {</span><br><span> if (iaxs[fr->callno]->pingtime > peer->maxms) {</span><br><span> ast_log(LOG_NOTICE, "Peer '%s' is now TOO LAGGED (%u ms)!\n", peer->name, iaxs[fr->callno]->pingtime);</span><br><span> ast_endpoint_set_state(peer->endpoint, AST_ENDPOINT_ONLINE);</span><br><span style="color: hsl(0, 100%, 40%);">- blob = ast_json_pack("{s: s, s: i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ blob = ast_json_pack("{s: s, s: I}",</span><br><span> "peer_status", "Lagged",</span><br><span style="color: hsl(0, 100%, 40%);">- "time", iaxs[fr->callno]->pingtime);</span><br><span style="color: hsl(120, 100%, 40%);">+ "time", (ast_json_int_t)iaxs[fr->callno]->pingtime);</span><br><span> ast_devstate_changed(AST_DEVICE_UNAVAILABLE, AST_DEVSTATE_CACHABLE, "IAX2/%s", peer->name); /* Activate notification */</span><br><span> }</span><br><span> }</span><br><span>diff --git a/funcs/func_talkdetect.c b/funcs/func_talkdetect.c</span><br><span>index 9700a24..3a7b2ad 100644</span><br><span>--- a/funcs/func_talkdetect.c</span><br><span>+++ b/funcs/func_talkdetect.c</span><br><span>@@ -205,7 +205,7 @@</span><br><span> int64_t diff_ms = ast_tvdiff_ms(ast_tvnow(), td_params->talking_start);</span><br><span> diff_ms -= td_params->dsp_silence_threshold;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- blob = ast_json_pack("{s: i}", "duration", diff_ms);</span><br><span style="color: hsl(120, 100%, 40%);">+ blob = ast_json_pack("{s: I}", "duration", (ast_json_int_t)diff_ms);</span><br><span> if (!blob) {</span><br><span> return 1;</span><br><span> }</span><br><span>diff --git a/main/aoc.c b/main/aoc.c</span><br><span>index 725e910..c797610 100644</span><br><span>--- a/main/aoc.c</span><br><span>+++ b/main/aoc.c</span><br><span>@@ -1739,13 +1739,13 @@</span><br><span> decoded->aoc_s_entries[i].rate.duration.amount,</span><br><span> decoded->aoc_s_entries[i].rate.duration.multiplier);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- time = ast_json_pack("{s:i, s:i}",</span><br><span style="color: hsl(0, 100%, 40%);">- "Length", decoded->aoc_s_entries[i].rate.duration.time,</span><br><span style="color: hsl(120, 100%, 40%);">+ time = ast_json_pack("{s:I, s:i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ "Length", (ast_json_int_t)decoded->aoc_s_entries[i].rate.duration.time,</span><br><span> "Scale", decoded->aoc_s_entries[i].rate.duration.time_scale);</span><br><span> </span><br><span> if (decoded->aoc_s_entries[i].rate.duration.granularity_time) {</span><br><span style="color: hsl(0, 100%, 40%);">- granularity = ast_json_pack("{s:i, s:i}",</span><br><span style="color: hsl(0, 100%, 40%);">- "Length", decoded->aoc_s_entries[i].rate.duration.granularity_time,</span><br><span style="color: hsl(120, 100%, 40%);">+ granularity = ast_json_pack("{s:I, s:i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ "Length", (ast_json_int_t)decoded->aoc_s_entries[i].rate.duration.granularity_time,</span><br><span> "Scale", decoded->aoc_s_entries[i].rate.duration.granularity_time_scale);</span><br><span> }</span><br><span> </span><br><span>diff --git a/main/ccss.c b/main/ccss.c</span><br><span>index 205dc1b..b27287e 100644</span><br><span>--- a/main/ccss.c</span><br><span>+++ b/main/ccss.c</span><br><span>@@ -1082,9 +1082,9 @@</span><br><span> {</span><br><span> struct ast_json *extras;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- extras = ast_json_pack("{s: s, s: i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ extras = ast_json_pack("{s: s, s: I}",</span><br><span> "caller", caller,</span><br><span style="color: hsl(0, 100%, 40%);">- "expires", expires);</span><br><span style="color: hsl(120, 100%, 40%);">+ "expires", (ast_json_int_t)expires);</span><br><span> </span><br><span> cc_publish(ast_cc_offertimerstart_type(), core_id, extras);</span><br><span> ast_json_unref(extras);</span><br><span>diff --git a/main/channel.c b/main/channel.c</span><br><span>index e95eac0..ff25c98 100644</span><br><span>--- a/main/channel.c</span><br><span>+++ b/main/channel.c</span><br><span>@@ -3688,10 +3688,10 @@</span><br><span> RAII_VAR(struct ast_json *, blob, NULL, ast_json_unref);</span><br><span> char digit_str[] = { digit, '\0' };</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- blob = ast_json_pack("{ s: s, s: s, s: i }",</span><br><span style="color: hsl(120, 100%, 40%);">+ blob = ast_json_pack("{ s: s, s: s, s: I }",</span><br><span> "digit", digit_str,</span><br><span> "direction", dtmf_direction_to_string(direction),</span><br><span style="color: hsl(0, 100%, 40%);">- "duration_ms", duration_ms);</span><br><span style="color: hsl(120, 100%, 40%);">+ "duration_ms", (ast_json_int_t)duration_ms);</span><br><span> if (!blob) {</span><br><span> return;</span><br><span> }</span><br><span>diff --git a/main/core_local.c b/main/core_local.c</span><br><span>index 12e41f9..59c789a 100644</span><br><span>--- a/main/core_local.c</span><br><span>+++ b/main/core_local.c</span><br><span>@@ -416,8 +416,8 @@</span><br><span> return;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- json_object = ast_json_pack("{s: i, s: i}",</span><br><span style="color: hsl(0, 100%, 40%);">- "dest", dest, "id", id);</span><br><span style="color: hsl(120, 100%, 40%);">+ json_object = ast_json_pack("{s: i, s: I}",</span><br><span style="color: hsl(120, 100%, 40%);">+ "dest", dest, "id", (ast_json_int_t)id);</span><br><span> </span><br><span> if (!json_object) {</span><br><span> return;</span><br><span>@@ -458,7 +458,7 @@</span><br><span> return;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- json_object = ast_json_pack("{s: i, s: i}", "success", success, "id", id);</span><br><span style="color: hsl(120, 100%, 40%);">+ json_object = ast_json_pack("{s: i, s: I}", "success", success, "id", (ast_json_int_t)id);</span><br><span> </span><br><span> if (!json_object) {</span><br><span> return;</span><br><span>diff --git a/main/rtp_engine.c b/main/rtp_engine.c</span><br><span>index e1a1e0b..c56ec5f 100644</span><br><span>--- a/main/rtp_engine.c</span><br><span>+++ b/main/rtp_engine.c</span><br><span>@@ -2535,14 +2535,14 @@</span><br><span> char str_lsr[32];</span><br><span> </span><br><span> snprintf(str_lsr, sizeof(str_lsr), "%u", payload->report->report_block[i]->lsr);</span><br><span style="color: hsl(0, 100%, 40%);">- json_report_block = ast_json_pack("{s: I, s: i, s: i, s: i, s: i, s: s, s: i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ json_report_block = ast_json_pack("{s: I, s: I, s: I, s: I, s: I, s: s, s: I}",</span><br><span> "source_ssrc", (ast_json_int_t)payload->report->report_block[i]->source_ssrc,</span><br><span style="color: hsl(0, 100%, 40%);">- "fraction_lost", payload->report->report_block[i]->lost_count.fraction,</span><br><span style="color: hsl(0, 100%, 40%);">- "packets_lost", payload->report->report_block[i]->lost_count.packets,</span><br><span style="color: hsl(0, 100%, 40%);">- "highest_seq_no", payload->report->report_block[i]->highest_seq_no,</span><br><span style="color: hsl(0, 100%, 40%);">- "ia_jitter", payload->report->report_block[i]->ia_jitter,</span><br><span style="color: hsl(120, 100%, 40%);">+ "fraction_lost", (ast_json_int_t)payload->report->report_block[i]->lost_count.fraction,</span><br><span style="color: hsl(120, 100%, 40%);">+ "packets_lost", (ast_json_int_t)payload->report->report_block[i]->lost_count.packets,</span><br><span style="color: hsl(120, 100%, 40%);">+ "highest_seq_no", (ast_json_int_t)payload->report->report_block[i]->highest_seq_no,</span><br><span style="color: hsl(120, 100%, 40%);">+ "ia_jitter", (ast_json_int_t)payload->report->report_block[i]->ia_jitter,</span><br><span> "lsr", str_lsr,</span><br><span style="color: hsl(0, 100%, 40%);">- "dlsr", payload->report->report_block[i]->dlsr);</span><br><span style="color: hsl(120, 100%, 40%);">+ "dlsr", (ast_json_int_t)payload->report->report_block[i]->dlsr);</span><br><span> if (!json_report_block</span><br><span> || ast_json_array_append(json_rtcp_report_blocks, json_report_block)) {</span><br><span> ast_json_unref(json_rtcp_report_blocks);</span><br><span>@@ -2556,21 +2556,21 @@</span><br><span> </span><br><span> snprintf(sec, sizeof(sec), "%lu", (unsigned long)payload->report->sender_information.ntp_timestamp.tv_sec);</span><br><span> snprintf(usec, sizeof(usec), "%lu", (unsigned long)payload->report->sender_information.ntp_timestamp.tv_usec);</span><br><span style="color: hsl(0, 100%, 40%);">- json_rtcp_sender_info = ast_json_pack("{s: s, s: s, s: i, s: i, s: i}",</span><br><span style="color: hsl(120, 100%, 40%);">+ json_rtcp_sender_info = ast_json_pack("{s: s, s: s, s: I, s: I, s: I}",</span><br><span> "ntp_timestamp_sec", sec,</span><br><span> "ntp_timestamp_usec", usec,</span><br><span style="color: hsl(0, 100%, 40%);">- "rtp_timestamp", payload->report->sender_information.rtp_timestamp,</span><br><span style="color: hsl(0, 100%, 40%);">- "packets", payload->report->sender_information.packet_count,</span><br><span style="color: hsl(0, 100%, 40%);">- "octets", payload->report->sender_information.octet_count);</span><br><span style="color: hsl(120, 100%, 40%);">+ "rtp_timestamp", (ast_json_int_t)payload->report->sender_information.rtp_timestamp,</span><br><span style="color: hsl(120, 100%, 40%);">+ "packets", (ast_json_int_t)payload->report->sender_information.packet_count,</span><br><span style="color: hsl(120, 100%, 40%);">+ "octets", (ast_json_int_t)payload->report->sender_information.octet_count);</span><br><span> if (!json_rtcp_sender_info) {</span><br><span> ast_json_unref(json_rtcp_report_blocks);</span><br><span> return NULL;</span><br><span> }</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- json_rtcp_report = ast_json_pack("{s: I, s: i, s: i, s: o, s: o}",</span><br><span style="color: hsl(120, 100%, 40%);">+ json_rtcp_report = ast_json_pack("{s: I, s: I, s: i, s: o, s: o}",</span><br><span> "ssrc", (ast_json_int_t)payload->report->ssrc,</span><br><span style="color: hsl(0, 100%, 40%);">- "type", payload->report->type,</span><br><span style="color: hsl(120, 100%, 40%);">+ "type", (ast_json_int_t)payload->report->type,</span><br><span> "report_count", payload->report->reception_report_count,</span><br><span> "sender_information", json_rtcp_sender_info ?: ast_json_null(),</span><br><span> "report_blocks", json_rtcp_report_blocks);</span><br><span>diff --git a/main/stasis_channels.c b/main/stasis_channels.c</span><br><span>index cc7ab7d..58d52bf 100644</span><br><span>--- a/main/stasis_channels.c</span><br><span>+++ b/main/stasis_channels.c</span><br><span>@@ -1111,11 +1111,11 @@</span><br><span> return NULL;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- return ast_json_pack("{s: s, s: o, s: s, s: i, s: o}",</span><br><span style="color: hsl(120, 100%, 40%);">+ return ast_json_pack("{s: s, s: o, s: s, s: I, s: o}",</span><br><span> "type", "ChannelDtmfReceived",</span><br><span> "timestamp", ast_json_timeval(*tv, NULL),</span><br><span> "digit", digit,</span><br><span style="color: hsl(0, 100%, 40%);">- "duration_ms", duration_ms,</span><br><span style="color: hsl(120, 100%, 40%);">+ "duration_ms", (ast_json_int_t)duration_ms,</span><br><span> "channel", json_channel);</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/11667">change 11667</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/11667"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-Change-Id: Ied530780d83e6f1772adba0e28d8938ef30c49a1 </div>
<div style="display:none"> Gerrit-Change-Number: 11667 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>