Don't read past end of input when calling write()

int blah = 1; ... write(chan->alertpipe[1], &blah, new_frames * sizeof(blah)) != (new_frames * sizeof(blah))) is only valid when new_frames == 1. Otherwise we start reading into adjacent variables declared on the stack. The read end discards what is read, so the values don't matter but it's not a good idea to read past where we want even though new_frames is almost always 1 and should never be large. This patch is basically taken out of kpfleming's eventfd branch, as he mentioned that he remembered fixing it there when I talked to him about this issue. Review: https://reviewboard.asterisk.org/r/1583/ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@345163 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-10-31 02:37:10 +00:00 · 2011-11-14 19:05:09 +00:00
parent f1762a4633
commit d12db0c76b
1 changed files with 4 additions and 2 deletions
--- a/main/channel.c
+++ b/main/channel.c
@@ -1400,7 +1400,6 @@ static int __ast_queue_frame(struct ast_channel *chan, struct ast_frame *fin, in
 {
 	struct ast_frame *f;
 	struct ast_frame *cur;
-	int blah = 1;
 	unsigned int new_frames = 0;
 	unsigned int new_voice_frames = 0;
 	unsigned int queued_frames = 0;
@@ -1499,7 +1498,10 @@ static int __ast_queue_frame(struct ast_channel *chan, struct ast_frame *fin, in
 	}

 	if (chan->alertpipe[1] > -1) {
-		if (write(chan->alertpipe[1], &blah, new_frames * sizeof(blah)) != (new_frames * sizeof(blah))) {
+		int blah[new_frames];
+
+		memset(blah, 1, sizeof(blah));
+		if (write(chan->alertpipe[1], &blah, sizeof(blah)) != (sizeof(blah))) {
 			ast_log(LOG_WARNING, "Unable to write to alert pipe on %s (qlen = %d): %s!\n",
 				chan->name, queued_frames, strerror(errno));
 		}