From: Terry Wilson Date: Mon, 14 Nov 2011 19:10:13 +0000 (+0000) Subject: Don't read past end of input when calling write() X-Git-Tag: 10.1.0-rc1~84 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a42e7ba418f099d36f22f35baed35c60538444b;p=thirdparty%2Fasterisk.git Don't read past end of input when calling write() int blah = 1; ... write(chan->alertpipe[1], &blah, new_frames * sizeof(blah)) != (new_frames * sizeof(blah))) is only valid when new_frames == 1. Otherwise we start reading into adjacent variables declared on the stack. The read end discards what is read, so the values don't matter but it's not a good idea to read past where we want even though new_frames is almost always 1 and should never be large. This patch is basically taken out of kpfleming's eventfd branch, as he mentioned that he remembered fixing it there when I talked to him about this issue. Review: https://reviewboard.asterisk.org/r/1583/ ........ Merged revisions 345163 from http://svn.asterisk.org/svn/asterisk/branches/1.8 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@345164 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/main/channel.c b/main/channel.c index 0f61866ee8..bb1bd4e7cc 100644 --- a/main/channel.c +++ b/main/channel.c @@ -1413,7 +1413,6 @@ static int __ast_queue_frame(struct ast_channel *chan, struct ast_frame *fin, in { struct ast_frame *f; struct ast_frame *cur; - int blah = 1; unsigned int new_frames = 0; unsigned int new_voice_frames = 0; unsigned int queued_frames = 0; @@ -1512,7 +1511,10 @@ static int __ast_queue_frame(struct ast_channel *chan, struct ast_frame *fin, in } if (chan->alertpipe[1] > -1) { - if (write(chan->alertpipe[1], &blah, new_frames * sizeof(blah)) != (new_frames * sizeof(blah))) { + int blah[new_frames]; + + memset(blah, 1, sizeof(blah)); + if (write(chan->alertpipe[1], &blah, sizeof(blah)) != (sizeof(blah))) { ast_log(LOG_WARNING, "Unable to write to alert pipe on %s (qlen = %d): %s!\n", chan->name, queued_frames, strerror(errno)); }