From: David Vossel Date: Tue, 9 Feb 2010 23:07:17 +0000 (+0000) Subject: Merged revisions 245792 via svnmerge from X-Git-Tag: 11.0.0-beta1~3458 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5be3d14c1156945681bf08268aee09566b2cbf74;p=thirdparty%2Fasterisk.git Merged revisions 245792 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r245792 | dvossel | 2010-02-09 16:55:38 -0600 (Tue, 09 Feb 2010) | 12 lines Fixes iaxs and iaxsl size off by one issue. 2^15 = 32768 which is the maximum allowed iax2 callnumber. Creating the iaxs and iaxsl array of size 32768 means the maximum callnumber is actually out of bounds. This causes a nasty crash. (closes issue #15997) Reported by: exarv Patches: iax_fix.diff uploaded by dvossel (license 671) ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@245793 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index ac093d65ad..47be416556 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -848,7 +848,7 @@ static const unsigned int CALLNO_POOL_BUCKETS = 2699; * * \note Contents protected by the iaxsl[] locks */ -static AST_LIST_HEAD_NOLOCK(, iax_frame) frame_queue[IAX_MAX_CALLS]; +static AST_LIST_HEAD_NOLOCK(, iax_frame) frame_queue[IAX_MAX_CALLS + 1]; static struct ast_taskprocessor *transmit_processor; @@ -1049,7 +1049,7 @@ static void signal_condition(ast_mutex_t *lock, ast_cond_t *cond) * based on the local call number. The local call number is used as the * index into the array where the associated pvt structure is stored. */ -static struct chan_iax2_pvt *iaxs[IAX_MAX_CALLS]; +static struct chan_iax2_pvt *iaxs[IAX_MAX_CALLS + 1]; /*! * \brief Another container of iax2_pvt structures