From: David Vossel Date: Tue, 9 Feb 2010 23:14:09 +0000 (+0000) Subject: Merged revisions 245793 via svnmerge from X-Git-Tag: 1.6.0.26-rc1~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29cea378d9cb4126ef2a5b78f98d0f8b31ed39a9;p=thirdparty%2Fasterisk.git Merged revisions 245793 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r245793 | dvossel | 2010-02-09 17:07:17 -0600 (Tue, 09 Feb 2010) | 18 lines Merged revisions 245792 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r245792 | dvossel | 2010-02-09 16:55:38 -0600 (Tue, 09 Feb 2010) | 12 lines Fixes iaxs and iaxsl size off by one issue. 2^15 = 32768 which is the maximum allowed iax2 callnumber. Creating the iaxs and iaxsl array of size 32768 means the maximum callnumber is actually out of bounds. This causes a nasty crash. (closes issue #15997) Reported by: exarv Patches: iax_fix.diff uploaded by dvossel (license 671) ........ ................ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.0@245796 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 502a529ad0..c5a48fa655 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -945,7 +945,7 @@ static void __attribute__((format (printf, 1, 2))) jb_debug_output(const char *f * based on the local call number. The local call number is used as the * index into the array where the associated pvt structure is stored. */ -static struct chan_iax2_pvt *iaxs[IAX_MAX_CALLS]; +static struct chan_iax2_pvt *iaxs[IAX_MAX_CALLS + 1]; /*! * \brief Another container of iax2_pvt structures @@ -976,7 +976,7 @@ static struct ao2_container *iax_transfercallno_pvts; /* Flag to use with trunk calls, keeping these calls high up. It halves our effective use but keeps the division between trunked and non-trunked better. */ -#define TRUNK_CALL_START ARRAY_LEN(iaxs) / 2 +#define TRUNK_CALL_START IAX_MAX_CALLS / 2 static int maxtrunkcall = TRUNK_CALL_START; static int maxnontrunkcall = 1;