diff options
author | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-07-17 20:48:21 +0000 |
---|---|---|
committer | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-07-17 20:48:21 +0000 |
commit | 0be7762369250d46c2646a09419115fe4bf9ca80 (patch) | |
tree | e33697377ae2c178f58853730a513acc37ce203f | |
parent | 07361072d4d1f2802920f9d01162494c9a9b14f0 (diff) |
Merged revisions 75444 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.2
........
r75444 | russell | 2007-07-17 15:45:27 -0500 (Tue, 17 Jul 2007) | 5 lines
Ensure that when encoding the contents of an ast_frame into an iax_frame, that
the size of the destination buffer is known in the iax_frame so that code
won't write past the end of the allocated buffer when sending outgoing frames.
(ASA-2007-014)
........
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@75445 f38db490-d61c-443f-a65b-d21fe96a405b
-rw-r--r-- | channels/chan_iax2.c | 9 | ||||
-rw-r--r-- | channels/iax2-parser.c | 21 | ||||
-rw-r--r-- | channels/iax2-parser.h | 2 |
3 files changed, 21 insertions, 11 deletions
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index e9cf20e5f..e1dc0eb06 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -1121,10 +1121,10 @@ static struct iax_frame *iaxfrdup2(struct iax_frame *fr) { struct iax_frame *new = iax_frame_new(DIRECTION_INGRESS, fr->af.datalen, fr->cacheable); if (new) { - size_t mallocd_datalen = new->mallocd_datalen; + size_t afdatalen = new->afdatalen; memcpy(new, fr, sizeof(*new)); iax_frame_wrap(new, &fr->af); - new->mallocd_datalen = mallocd_datalen; + new->afdatalen = afdatalen; new->data = NULL; new->datalen = 0; new->direction = DIRECTION_INGRESS; @@ -3877,7 +3877,9 @@ static int iax2_send(struct chan_iax2_pvt *pvt, struct ast_frame *f, unsigned in int sendmini=0; unsigned int lastsent; unsigned int fts; - + + frb.fr2.afdatalen = sizeof(frb.buffer); + if (!pvt) { ast_log(LOG_WARNING, "No private structure for packet?\n"); return -1; @@ -6462,6 +6464,7 @@ static int socket_process(struct iax2_thread *thread) /* allocate an iax_frame with 4096 bytes of data buffer */ fr = alloca(sizeof(*fr) + 4096); fr->callno = 0; + fr->afdatalen = 4096; /* From alloca() above */ /* Copy frequently used parameters to the stack */ res = thread->buf_len; diff --git a/channels/iax2-parser.c b/channels/iax2-parser.c index 836054886..f9c3714db 100644 --- a/channels/iax2-parser.c +++ b/channels/iax2-parser.c @@ -931,13 +931,20 @@ void iax_frame_wrap(struct iax_frame *fr, struct ast_frame *f) fr->af.data = fr->afdata; fr->af.len = f->len; if (fr->af.datalen) { + size_t copy_len = fr->af.datalen; + if (copy_len > fr->afdatalen) { + ast_log(LOG_ERROR, "Losing frame data because destination buffer size '%d' bytes not big enough for '%d' bytes in the frame\n", + (int) fr->afdatalen, (int) fr->af.datalen); + copy_len = fr->afdatalen; + } #if __BYTE_ORDER == __LITTLE_ENDIAN /* We need to byte-swap slinear samples from network byte order */ if ((fr->af.frametype == AST_FRAME_VOICE) && (fr->af.subclass == AST_FORMAT_SLINEAR)) { - ast_swapcopy_samples(fr->af.data, f->data, fr->af.samples); + /* 2 bytes / sample for SLINEAR */ + ast_swapcopy_samples(fr->af.data, f->data, copy_len / 2); } else #endif - memcpy(fr->af.data, f->data, fr->af.datalen); + memcpy(fr->af.data, f->data, copy_len); } } @@ -951,11 +958,11 @@ struct iax_frame *iax_frame_new(int direction, int datalen, unsigned int cacheab /* Attempt to get a frame from this thread's cache */ if ((iax_frames = ast_threadstorage_get(&frame_cache, sizeof(*iax_frames)))) { AST_LIST_TRAVERSE_SAFE_BEGIN(iax_frames, fr, list) { - if (fr->mallocd_datalen >= datalen) { - size_t mallocd_datalen = fr->mallocd_datalen; + if (fr->afdatalen >= datalen) { + size_t afdatalen = fr->afdatalen; AST_LIST_REMOVE_CURRENT(iax_frames, list); memset(fr, 0, sizeof(*fr)); - fr->mallocd_datalen = mallocd_datalen; + fr->afdatalen = afdatalen; break; } } @@ -964,12 +971,12 @@ struct iax_frame *iax_frame_new(int direction, int datalen, unsigned int cacheab if (!fr) { if (!(fr = ast_calloc_cache(1, sizeof(*fr) + datalen))) return NULL; - fr->mallocd_datalen = datalen; + fr->afdatalen = datalen; } #else if (!(fr = ast_calloc(1, sizeof(*fr) + datalen))) return NULL; - fr->mallocd_datalen = datalen; + fr->afdatalen = datalen; #endif diff --git a/channels/iax2-parser.h b/channels/iax2-parser.h index 1b95d099f..0f3e18c00 100644 --- a/channels/iax2-parser.h +++ b/channels/iax2-parser.h @@ -123,7 +123,7 @@ struct iax_frame { /* Actual, isolated frame header */ struct ast_frame af; /*! Amount of space _allocated_ for data */ - size_t mallocd_datalen; + size_t afdatalen; unsigned char unused[AST_FRIENDLY_OFFSET]; unsigned char afdata[0]; /* Data for frame */ }; |