aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorrussell <russell@f38db490-d61c-443f-a65b-d21fe96a405b>2007-07-17 20:45:27 +0000
committerrussell <russell@f38db490-d61c-443f-a65b-d21fe96a405b>2007-07-17 20:45:27 +0000
commit4c9df6e31f645075f68f03772cd2349fd5f4de37 (patch)
tree11d41aff9ddb9fb9cf8bc1e4677fcbe655ff331a
parent63e63a46448834f35ed2b498b1f5e88f6a138b56 (diff)
Ensure that when encoding the contents of an ast_frame into an iax_frame, that
the size of the destination buffer is known in the iax_frame so that code won't write past the end of the allocated buffer when sending outgoing frames. (ASA-2007-014) git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.2@75444 f38db490-d61c-443f-a65b-d21fe96a405b
-rw-r--r--channels/chan_iax2.c7
-rw-r--r--channels/iax2-parser.c12
-rw-r--r--channels/iax2-parser.h2
3 files changed, 17 insertions, 4 deletions
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 6643974d2..dacc20e17 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -4020,7 +4020,9 @@ static int iax2_send(struct chan_iax2_pvt *pvt, struct ast_frame *f, unsigned in
int sendmini=0;
unsigned int lastsent;
unsigned int fts;
-
+
+ frb.fr2.afdatalen = sizeof(frb.buffer);
+
if (!pvt) {
ast_log(LOG_WARNING, "No private structure for packet?\n");
return -1;
@@ -6435,7 +6437,8 @@ static int socket_read(int *id, int fd, short events, void *cbdata)
/* allocate an iax_frame with 4096 bytes of data buffer */
fr = alloca(sizeof(*fr) + 4096);
fr->callno = 0;
-
+ fr->afdatalen = 4096; /* From alloca() above */
+
res = recvfrom(fd, buf, sizeof(buf), 0,(struct sockaddr *) &sin, &len);
if (res < 0) {
if (errno != ECONNREFUSED)
diff --git a/channels/iax2-parser.c b/channels/iax2-parser.c
index 3ef80a39c..6db037455 100644
--- a/channels/iax2-parser.c
+++ b/channels/iax2-parser.c
@@ -904,13 +904,20 @@ void iax_frame_wrap(struct iax_frame *fr, struct ast_frame *f)
fr->af.delivery.tv_usec = 0;
fr->af.data = fr->afdata;
if (fr->af.datalen) {
+ size_t copy_len = fr->af.datalen;
+ if (copy_len > fr->afdatalen) {
+ ast_log(LOG_ERROR, "Losing frame data because destination buffer size '%d' bytes not big enough for '%d' bytes in the frame\n",
+ (int) fr->afdatalen, (int) fr->af.datalen);
+ copy_len = fr->afdatalen;
+ }
#if __BYTE_ORDER == __LITTLE_ENDIAN
/* We need to byte-swap slinear samples from network byte order */
if ((fr->af.frametype == AST_FRAME_VOICE) && (fr->af.subclass == AST_FORMAT_SLINEAR)) {
- ast_swapcopy_samples(fr->af.data, f->data, fr->af.samples);
+ /* 2 bytes / sample for SLINEAR */
+ ast_swapcopy_samples(fr->af.data, f->data, copy_len / 2);
} else
#endif
- memcpy(fr->af.data, f->data, fr->af.datalen);
+ memcpy(fr->af.data, f->data, copy_len);
}
}
@@ -919,6 +926,7 @@ struct iax_frame *iax_frame_new(int direction, int datalen)
struct iax_frame *fr;
fr = malloc((int)sizeof(struct iax_frame) + datalen);
if (fr) {
+ fr->afdatalen = datalen;
fr->direction = direction;
fr->retrans = -1;
frames++;
diff --git a/channels/iax2-parser.h b/channels/iax2-parser.h
index dd90682c2..50e04538e 100644
--- a/channels/iax2-parser.h
+++ b/channels/iax2-parser.h
@@ -119,6 +119,8 @@ struct iax_frame {
struct iax_frame *prev;
/* Actual, isolated frame header */
struct ast_frame af;
+ /* Amount of data _allocated_ for afdata */
+ size_t afdatalen;
unsigned char unused[AST_FRIENDLY_OFFSET];
unsigned char afdata[0]; /* Data for frame */
};