Merged revisions 378288 via svnmerge from

file:///srv/subversion/repos/asterisk/trunk ................ r378288 | mjordan | 2013-01-02 09:39:42 -0600 (Wed, 02 Jan 2013) | 36 lines Resolve crashes due to large stack allocations when using TCP Asterisk had several places where messages received over various network transports may be copied in a single stack allocation. In the case of TCP, since multiple packets in a stream may be concatenated together, this can lead to large allocations that overflow the stack. This patch modifies those portions of Asterisk using TCP to either favor heap allocations or use an upper bound to ensure that the stack will not overflow: * For SIP, the allocation now has an upper limit * For HTTP, the allocation is now a heap allocation instead of a stack allocation * For XMPP (in res_jabber), the allocation has been eliminated since it was unnecesary. Note that the HTTP portion of this issue was independently found by Brandon Edwards of Exodus Intelligence. (issue ASTERISK-20658) Reported by: wdoekes, Brandon Edwards Tested by: mmichelson, wdoekes patches: ASTERISK-20658_res_jabber.c.patch uploaded by mmichelson (license 5049) issueA20658_http_postvars_use_malloc2.patch uploaded by wdoekes (license 5674) issueA20658_limit_sip_packet_size3.patch uploaded by wdoekes (license 5674) ........ Merged revisions 378269 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 378286 from http://svn.asterisk.org/svn/asterisk/branches/10 ........ Merged revisions 378287 from http://svn.asterisk.org/svn/asterisk/branches/11 ................ git-svn-id: https://origsvn.digium.com/svn/asterisk/team/mmichelson/threadpool@378296 65c4cc65-6c06-0410-ace0-fbb531ad65f3
author: Automerge script <automerge@asterisk.org> 2013-01-02 16:20:01 +0000
committer: Automerge script <automerge@asterisk.org> 2013-01-02 16:20:01 +0000
commit: 5966364588cfb5e83ac5182469cc3f994cff6143 (patch)
tree: d18d2e9ad50d8c22b556c9ea54e2aff140b3abdb /main
parent: 95cb4fa886c73c3248dcd58c918ba8c9b9d8ca21 (diff)
1 files changed, 16 insertions, 4 deletions
diff --git a/main/http.c b/main/http.c
index 44148edf8..fc2931290 100644
--- a/main/http.c
+++ b/main/http.c
@@ -611,6 +611,7 @@ struct ast_variable *ast_http_get_post_vars(
 	int content_length = 0;
 	struct ast_variable *v, *post_vars=NULL, *prev = NULL;
 	char *buf, *var, *val;
+	int res;
 
 	for (v = headers; v; v = v->next) {
 		if (!strcasecmp(v->name, "Content-Type")) {
@@ -623,20 +624,28 @@ struct ast_variable *ast_http_get_post_vars(
 
 	for (v = headers; v; v = v->next) {
 		if (!strcasecmp(v->name, "Content-Length")) {
-			content_length = atoi(v->value) + 1;
+			content_length = atoi(v->value);
 			break;
 		}
 	}
 
-	if (!content_length) {
+	if (content_length <= 0) {
 		return NULL;
 	}
 
-	buf = ast_alloca(content_length);
-	if (!fgets(buf, content_length, ser->f)) {
+	buf = ast_malloc(content_length + 1);
+	if (!buf) {
 		return NULL;
 	}
 
+	res = fread(buf, 1, content_length, ser->f);
+	if (res < content_length) {
+		/* Error, distinguishable by ferror() or feof(), but neither
+		 * is good. */
+		goto done;
+	}
+	buf[content_length] = '\0';
+
 	while ((val = strsep(&buf, "&"))) {
 		var = strsep(&val, "=");
 		if (val) {
@@ -654,6 +663,9 @@ struct ast_variable *ast_http_get_post_vars(
 			prev = v;
 		}
 	}
+	
+done:
+	ast_free(buf);
 	return post_vars;
 }
author	Automerge script <automerge@asterisk.org>	2013-01-02 16:20:01 +0000
committer	Automerge script <automerge@asterisk.org>	2013-01-02 16:20:01 +0000
commit	5966364588cfb5e83ac5182469cc3f994cff6143 (patch)
tree	d18d2e9ad50d8c22b556c9ea54e2aff140b3abdb /main
parent	95cb4fa886c73c3248dcd58c918ba8c9b9d8ca21 (diff)