aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@osmocom.org>2020-07-03 19:07:00 +0200
committerHarald Welte <laforge@osmocom.org>2020-07-03 19:26:16 +0200
commit96034fcced3f5a93af1a7859a5cc7062390143a0 (patch)
treed5dca6944cf2bd39b3f73158f06846c27c293181
parent47c247b9406308d5bb6735a02eca313cc99ce05f (diff)
input/dahdi.c: Don't simply read beyond end of msgb
Let's first add two bytes to the msgb before writing. This way we would assert in case there was no tailroom. As we just added tailroom in the previous patch of this series, we are fine Change-Id: If84b31ea9a3fc7a6c8768918efed2822d1d58427 Closes: OS#4644
-rw-r--r--src/input/dahdi.c22
1 files changed, 20 insertions, 2 deletions
diff --git a/src/input/dahdi.c b/src/input/dahdi.c
index a461f27..8cebac3 100644
--- a/src/input/dahdi.c
+++ b/src/input/dahdi.c
@@ -224,7 +224,16 @@ static void dahdi_write_msg(struct msgb *msg, void *cbdata)
struct e1inp_ts *e1i_ts = &line->ts[ts_nr-1];
int ret;
- ret = write(bfd->fd, msg->data, msg->len + 2);
+ if (msgb_tailroom(msg) >= 2) {
+ /* two bytes of space for the FCS added by DAHDI in the kernel */
+ msgb_put(msg, 2);
+ ret = write(bfd->fd, msg->data, msg->len);
+ } else {
+ /* work-around for code that sends us messages with no tailroom (OS#4644) */
+ uint8_t buf[msg->len + 2];
+ memcpy(buf, msg->data, msg->len);
+ ret = write(bfd->fd, buf, sizeof(buf));
+ }
msgb_free(msg);
if (ret == -1)
handle_dahdi_exception(e1i_ts);
@@ -273,7 +282,16 @@ static void handle_hdlc_write(struct osmo_fd *bfd)
if (!msg)
return;
- ret = write(bfd->fd, msg->data, msg->len + 2);
+ if (msgb_tailroom(msg) >= 2) {
+ /* two bytes of space for the FCS added by DAHDI in the kernel */
+ msgb_put(msg, 2);
+ ret = write(bfd->fd, msg->data, msg->len);
+ } else {
+ /* work-around for code that sends us messages with no tailroom (OS#4644) */
+ uint8_t buf[msg->len + 2];
+ memcpy(buf, msg->data, msg->len);
+ ret = write(bfd->fd, buf, sizeof(buf));
+ }
msgb_free(msg);
if (ret == -1)
handle_dahdi_exception(e1i_ts);