From: David Vossel Date: Tue, 9 Feb 2010 22:55:38 +0000 (+0000) Subject: Fixes iaxs and iaxsl size off by one issue. X-Git-Tag: 1.4.30-rc3~38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a823cad50ae8db7774df863ae7bb3a55ee4d997;p=thirdparty%2Fasterisk.git Fixes iaxs and iaxsl size off by one issue. 2^15 = 32768 which is the maximum allowed iax2 callnumber. Creating the iaxs and iaxsl array of size 32768 means the maximum callnumber is actually out of bounds. This causes a nasty crash. (closes issue #15997) Reported by: exarv Patches: iax_fix.diff uploaded by dvossel (license 671) git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@245792 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index ac58c7703d..f9f7255119 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -912,8 +912,8 @@ static void __attribute__((format(printf, 1, 2))) jb_debug_output(const char *fm ast_verbose("%s", buf); } -/* XXX We probably should use a mutex when working with this XXX */ -static struct chan_iax2_pvt *iaxs[IAX_MAX_CALLS]; +/* IAX_MAX_CALLS + 1 to avoid the off by one error case when accessing the max call number */ +static struct chan_iax2_pvt *iaxs[IAX_MAX_CALLS + 1]; static ast_mutex_t iaxsl[ARRAY_LEN(iaxs)]; /*! @@ -936,7 +936,7 @@ static struct ao2_container *iax_transfercallno_pvts; /* Flag to use with trunk calls, keeping these calls high up. It halves our effective use but keeps the division between trunked and non-trunked better. */ -#define TRUNK_CALL_START ARRAY_LEN(iaxs) / 2 +#define TRUNK_CALL_START IAX_MAX_CALLS / 2 static int maxtrunkcall = TRUNK_CALL_START; static int maxnontrunkcall = 1;