diff options
| author | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2010-06-09 21:13:30 +0000 |
|---|---|---|
| committer | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2010-06-09 21:13:30 +0000 |
| commit | 912a2d74329263cf3673177d20e3ffdcfc5fd420 (patch) | |
| tree | 73b5e68cc7e8e918c0abddd427d57a6d5c8808aa | |
| parent | 68dadecc723c6fb8f8ab922c4274c9b2e03b25f6 (diff) | |
Merged revisions 269417 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
........
r269417 | russell | 2010-06-09 16:11:43 -0500 (Wed, 09 Jun 2010) | 6 lines
Resolve an invalid memory read on an event.
Valgrind pointed out that attempting to get an IE value from an event that has
no IEs produces an invalid memory read past the end of the event. Thanks to
mmichelson for pointing the problem out to me and then testing the fix.
........
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.6.2@269418 f38db490-d61c-443f-a65b-d21fe96a405b
| -rw-r--r-- | include/asterisk/event.h | 5 | ||||
| -rw-r--r-- | main/event.c | 19 |
2 files changed, 17 insertions, 7 deletions
diff --git a/include/asterisk/event.h b/include/asterisk/event.h index e7d0f7e2f..78926c74e 100644 --- a/include/asterisk/event.h +++ b/include/asterisk/event.h @@ -590,9 +590,10 @@ size_t ast_event_get_size(const struct ast_event *event); * \param iterator The iterator instance to initialize * \param event The event that will be iterated through * - * \return Nothing + * \retval 0 Success, there are IEs available to iterate + * \retval -1 Failure, there are no IEs in the event to iterate */ -void ast_event_iterator_init(struct ast_event_iterator *iterator, const struct ast_event *event); +int ast_event_iterator_init(struct ast_event_iterator *iterator, const struct ast_event *event); /*! * \brief Move iterator instance to next IE diff --git a/main/event.c b/main/event.c index 60dde3bb2..f83a15c6f 100644 --- a/main/event.c +++ b/main/event.c @@ -809,12 +809,20 @@ struct ast_event_sub *ast_event_unsubscribe(struct ast_event_sub *sub) return NULL; } -void ast_event_iterator_init(struct ast_event_iterator *iterator, const struct ast_event *event) +int ast_event_iterator_init(struct ast_event_iterator *iterator, const struct ast_event *event) { + int res = 0; + iterator->event_len = ntohs(event->event_len); iterator->event = event; - iterator->ie = (struct ast_event_ie *) ( ((char *) event) + sizeof(*event) ); - return; + if (iterator->event_len >= sizeof(*event) + sizeof(struct ast_event_ie)) { + iterator->ie = (struct ast_event_ie *) ( ((char *) event) + sizeof(*event) ); + } else { + iterator->ie = NULL; + res = -1; + } + + return res; } int ast_event_iterator_next(struct ast_event_iterator *iterator) @@ -884,9 +892,10 @@ const void *ast_event_get_ie_raw(const struct ast_event *event, enum ast_event_i struct ast_event_iterator iterator; int res = 0; - for (ast_event_iterator_init(&iterator, event); !res; res = ast_event_iterator_next(&iterator)) { - if (ast_event_iterator_get_ie_type(&iterator) == ie_type) + for (res = ast_event_iterator_init(&iterator, event); !res; res = ast_event_iterator_next(&iterator)) { + if (ast_event_iterator_get_ie_type(&iterator) == ie_type) { return ast_event_iterator_get_ie_raw(&iterator); + } } return NULL; |