Prevent crashes from occurring when reading from data sources with large values

author Matthew Jordan <mjordan@digium.com>

Wed, 2 Jan 2013 22:10:32 +0000 (22:10 +0000)

committer Matthew Jordan <mjordan@digium.com>

Wed, 2 Jan 2013 22:10:32 +0000 (22:10 +0000)
author Matthew Jordan <mjordan@digium.com>
Wed, 2 Jan 2013 22:10:32 +0000 (22:10 +0000)
committer Matthew Jordan <mjordan@digium.com>
Wed, 2 Jan 2013 22:10:32 +0000 (22:10 +0000)
diff --git a/funcs/func_realtime.c b/funcs/func_realtime.c

index bd4b37d..886b5b4 100644 (file)
--- a/funcs/func_realtime.c
+++ b/funcs/func_realtime.c
@@ -219,6 +219,13 @@ static int function_realtime_read(struct ast_channel *chan, const char *cmd, cha
         /* add space for delimiters and final '\0' */
         resultslen += n * (strlen(args.delim1) + strlen(args.delim2)) + 1;
  
+       if (resultslen > len) {
+               ast_log(LOG_WARNING, "Failed to fetch. Realtime data is too large: need %zu, have %zu.\n", resultslen, len);
+               return -1;
+       }
+
+       /* len is going to be sensible, so we don't need to check for stack
+        * overflows here. */
         out = ast_str_alloca(resultslen);
         for (var = head; var; var = var->next)
                 ast_str_append(&out, 0, "%s%s%s%s", var->name, args.delim2, var->value, args.delim1);
@@ -439,6 +446,16 @@ static int function_realtime_readdestroy(struct ast_channel *chan, const char *c
         /* add space for delimiters and final '\0' */
         resultslen += n * (strlen(args.delim1) + strlen(args.delim2)) + 1;
  
+       if (resultslen > len) {
+               /* Unfortunately this does mean that we cannot destroy the row
+                * anymore. But OTOH, we're not destroying someones data without
+                * giving him the chance to look at it. */
+               ast_log(LOG_WARNING, "Failed to fetch/destroy. Realtime data is too large: need %zu, have %zu.\n", resultslen, len);
+               return -1;
+       }
+
+       /* len is going to be sensible, so we don't need to check for stack
+        * overflows here. */
         out = ast_str_alloca(resultslen);
         for (var = head; var; var = var->next) {
                 ast_str_append(&out, 0, "%s%s%s%s", var->name, args.delim2, var->value, args.delim1);
diff --git a/main/config.c b/main/config.c

index f56421e..cf2b84c 100644 (file)
--- a/main/config.c
+++ b/main/config.c
@@ -1646,6 +1646,17 @@ static struct ast_config *config_text_file_load(const char *database, const char
                 while (!feof(f)) {
                         lineno++;
                         if (fgets(buf, sizeof(buf), f)) {
+                               /* Skip lines that are too long */
+                               if (strlen(buf) == sizeof(buf) - 1 && buf[sizeof(buf) - 1] != '\n') {
+                                       ast_log(LOG_WARNING, "Line %d too long, skipping. It begins with: %.32s...\n", lineno, buf);
+                                       while (fgets(buf, sizeof(buf), f)) {
+                                               if (strlen(buf) != sizeof(buf) - 1 || buf[sizeof(buf) - 1] == '\n') {
+                                                       break;
+                                               }
+                                       }
+                                       continue;
+                               }
+
                                 if (ast_test_flag(&flags, CONFIG_FLAG_WITHCOMMENTS) && lline_buffer && ast_str_strlen(lline_buffer)) {
                                         CB_ADD(&comment_buffer, ast_str_buffer(lline_buffer));       /* add the current lline buffer to the comment buffer */
                                         ast_str_reset(lline_buffer);        /* erase the lline buffer */
author	Matthew Jordan <mjordan@digium.com>
	Wed, 2 Jan 2013 22:10:32 +0000 (22:10 +0000)
committer	Matthew Jordan <mjordan@digium.com>
	Wed, 2 Jan 2013 22:10:32 +0000 (22:10 +0000)
funcs/func_realtime.c		patch \| blob \| history
main/config.c		patch \| blob \| history