diff options
| -rw-r--r-- | funcs/func_realtime.c | 17 | ||||
| -rw-r--r-- | main/config.c | 11 |
2 files changed, 28 insertions, 0 deletions
diff --git a/funcs/func_realtime.c b/funcs/func_realtime.c index bd4b37dfe..886b5b456 100644 --- a/funcs/func_realtime.c +++ b/funcs/func_realtime.c @@ -219,6 +219,13 @@ static int function_realtime_read(struct ast_channel *chan, const char *cmd, cha /* add space for delimiters and final '\0' */ resultslen += n * (strlen(args.delim1) + strlen(args.delim2)) + 1; + if (resultslen > len) { + ast_log(LOG_WARNING, "Failed to fetch. Realtime data is too large: need %zu, have %zu.\n", resultslen, len); + return -1; + } + + /* len is going to be sensible, so we don't need to check for stack + * overflows here. */ out = ast_str_alloca(resultslen); for (var = head; var; var = var->next) ast_str_append(&out, 0, "%s%s%s%s", var->name, args.delim2, var->value, args.delim1); @@ -439,6 +446,16 @@ static int function_realtime_readdestroy(struct ast_channel *chan, const char *c /* add space for delimiters and final '\0' */ resultslen += n * (strlen(args.delim1) + strlen(args.delim2)) + 1; + if (resultslen > len) { + /* Unfortunately this does mean that we cannot destroy the row + * anymore. But OTOH, we're not destroying someones data without + * giving him the chance to look at it. */ + ast_log(LOG_WARNING, "Failed to fetch/destroy. Realtime data is too large: need %zu, have %zu.\n", resultslen, len); + return -1; + } + + /* len is going to be sensible, so we don't need to check for stack + * overflows here. */ out = ast_str_alloca(resultslen); for (var = head; var; var = var->next) { ast_str_append(&out, 0, "%s%s%s%s", var->name, args.delim2, var->value, args.delim1); diff --git a/main/config.c b/main/config.c index f56421ee0..cf2b84c72 100644 --- a/main/config.c +++ b/main/config.c @@ -1646,6 +1646,17 @@ static struct ast_config *config_text_file_load(const char *database, const char while (!feof(f)) { lineno++; if (fgets(buf, sizeof(buf), f)) { + /* Skip lines that are too long */ + if (strlen(buf) == sizeof(buf) - 1 && buf[sizeof(buf) - 1] != '\n') { + ast_log(LOG_WARNING, "Line %d too long, skipping. It begins with: %.32s...\n", lineno, buf); + while (fgets(buf, sizeof(buf), f)) { + if (strlen(buf) != sizeof(buf) - 1 || buf[sizeof(buf) - 1] == '\n') { + break; + } + } + continue; + } + if (ast_test_flag(&flags, CONFIG_FLAG_WITHCOMMENTS) && lline_buffer && ast_str_strlen(lline_buffer)) { CB_ADD(&comment_buffer, ast_str_buffer(lline_buffer)); /* add the current lline buffer to the comment buffer */ ast_str_reset(lline_buffer); /* erase the lline buffer */ |