From: William King Date: Sun, 19 May 2013 00:34:16 +0000 (-0700) Subject: Coverity reported an Uninitialized pointer read. Upon further digging it appears... X-Git-Tag: v1.2.10~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3393ef362707e00daa152c968b100d2ba9192ea;p=thirdparty%2Ffreeswitch.git Coverity reported an Uninitialized pointer read. Upon further digging it appears that there is a code path where incoming packets can come in out of order, so this section of code tries to see if it can find the missed packets. As per FS-5202 there is a case where under heavy load the packet exists, and has most of the packet parsed, but still has a NULL pointer for the packet buffer. These two lines would at least help detect the edge case. --- diff --git a/src/mod/applications/mod_spandsp/udptl.c b/src/mod/applications/mod_spandsp/udptl.c index b560410b7d..7d72cc16e9 100644 --- a/src/mod/applications/mod_spandsp/udptl.c +++ b/src/mod/applications/mod_spandsp/udptl.c @@ -74,6 +74,10 @@ static int decode_open_type(const uint8_t *buf, int limit, int *len, const uint8 if ((*len + octet_cnt) > limit) return -1; + /* Was told the buffer was large enough, but in reality it didn't exist. FS-5202 */ + if ( buf[*len] == NULL ) + return -1; + *pbuf = &buf[*len]; *len += octet_cnt; } @@ -159,7 +163,7 @@ int udptl_rx_packet(udptl_state_t *s, const uint8_t buf[], int len) const uint8_t *data; int msg_len; int repaired[16]; - const uint8_t *bufs[16]; + const uint8_t *bufs[16] = {0}; int lengths[16]; int span; int entries;