From 5be3d14c1156945681bf08268aee09566b2cbf74 Mon Sep 17 00:00:00 2001 From: David Vossel Date: Tue, 9 Feb 2010 23:07:17 +0000 Subject: [PATCH] Merged revisions 245792 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r245792 | dvossel | 2010-02-09 16:55:38 -0600 (Tue, 09 Feb 2010) | 12 lines Fixes iaxs and iaxsl size off by one issue. 2^15 = 32768 which is the maximum allowed iax2 callnumber. Creating the iaxs and iaxsl array of size 32768 means the maximum callnumber is actually out of bounds. This causes a nasty crash. (closes issue #15997) Reported by: exarv Patches: iax_fix.diff uploaded by dvossel (license 671) ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@245793 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_iax2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index ac093d6..47be416 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -848,7 +848,7 @@ static const unsigned int CALLNO_POOL_BUCKETS = 2699; * * \note Contents protected by the iaxsl[] locks */ -static AST_LIST_HEAD_NOLOCK(, iax_frame) frame_queue[IAX_MAX_CALLS]; +static AST_LIST_HEAD_NOLOCK(, iax_frame) frame_queue[IAX_MAX_CALLS + 1]; static struct ast_taskprocessor *transmit_processor; @@ -1049,7 +1049,7 @@ static void signal_condition(ast_mutex_t *lock, ast_cond_t *cond) * based on the local call number. The local call number is used as the * index into the array where the associated pvt structure is stored. */ -static struct chan_iax2_pvt *iaxs[IAX_MAX_CALLS]; +static struct chan_iax2_pvt *iaxs[IAX_MAX_CALLS + 1]; /*! * \brief Another container of iax2_pvt structures -- 1.7.9.5