diff options
author | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-07-17 20:45:27 +0000 |
---|---|---|
committer | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-07-17 20:45:27 +0000 |
commit | 4c9df6e31f645075f68f03772cd2349fd5f4de37 (patch) | |
tree | 11d41aff9ddb9fb9cf8bc1e4677fcbe655ff331a /channels | |
parent | 63e63a46448834f35ed2b498b1f5e88f6a138b56 (diff) |
Ensure that when encoding the contents of an ast_frame into an iax_frame, that
the size of the destination buffer is known in the iax_frame so that code
won't write past the end of the allocated buffer when sending outgoing frames.
(ASA-2007-014)
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.2@75444 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'channels')
-rw-r--r-- | channels/chan_iax2.c | 7 | ||||
-rw-r--r-- | channels/iax2-parser.c | 12 | ||||
-rw-r--r-- | channels/iax2-parser.h | 2 |
3 files changed, 17 insertions, 4 deletions
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 6643974d2..dacc20e17 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -4020,7 +4020,9 @@ static int iax2_send(struct chan_iax2_pvt *pvt, struct ast_frame *f, unsigned in int sendmini=0; unsigned int lastsent; unsigned int fts; - + + frb.fr2.afdatalen = sizeof(frb.buffer); + if (!pvt) { ast_log(LOG_WARNING, "No private structure for packet?\n"); return -1; @@ -6435,7 +6437,8 @@ static int socket_read(int *id, int fd, short events, void *cbdata) /* allocate an iax_frame with 4096 bytes of data buffer */ fr = alloca(sizeof(*fr) + 4096); fr->callno = 0; - + fr->afdatalen = 4096; /* From alloca() above */ + res = recvfrom(fd, buf, sizeof(buf), 0,(struct sockaddr *) &sin, &len); if (res < 0) { if (errno != ECONNREFUSED) diff --git a/channels/iax2-parser.c b/channels/iax2-parser.c index 3ef80a39c..6db037455 100644 --- a/channels/iax2-parser.c +++ b/channels/iax2-parser.c @@ -904,13 +904,20 @@ void iax_frame_wrap(struct iax_frame *fr, struct ast_frame *f) fr->af.delivery.tv_usec = 0; fr->af.data = fr->afdata; if (fr->af.datalen) { + size_t copy_len = fr->af.datalen; + if (copy_len > fr->afdatalen) { + ast_log(LOG_ERROR, "Losing frame data because destination buffer size '%d' bytes not big enough for '%d' bytes in the frame\n", + (int) fr->afdatalen, (int) fr->af.datalen); + copy_len = fr->afdatalen; + } #if __BYTE_ORDER == __LITTLE_ENDIAN /* We need to byte-swap slinear samples from network byte order */ if ((fr->af.frametype == AST_FRAME_VOICE) && (fr->af.subclass == AST_FORMAT_SLINEAR)) { - ast_swapcopy_samples(fr->af.data, f->data, fr->af.samples); + /* 2 bytes / sample for SLINEAR */ + ast_swapcopy_samples(fr->af.data, f->data, copy_len / 2); } else #endif - memcpy(fr->af.data, f->data, fr->af.datalen); + memcpy(fr->af.data, f->data, copy_len); } } @@ -919,6 +926,7 @@ struct iax_frame *iax_frame_new(int direction, int datalen) struct iax_frame *fr; fr = malloc((int)sizeof(struct iax_frame) + datalen); if (fr) { + fr->afdatalen = datalen; fr->direction = direction; fr->retrans = -1; frames++; diff --git a/channels/iax2-parser.h b/channels/iax2-parser.h index dd90682c2..50e04538e 100644 --- a/channels/iax2-parser.h +++ b/channels/iax2-parser.h @@ -119,6 +119,8 @@ struct iax_frame { struct iax_frame *prev; /* Actual, isolated frame header */ struct ast_frame af; + /* Amount of data _allocated_ for afdata */ + size_t afdatalen; unsigned char unused[AST_FRIENDLY_OFFSET]; unsigned char afdata[0]; /* Data for frame */ }; |