From f3393ef362707e00daa152c968b100d2ba9192ea Mon Sep 17 00:00:00 2001 From: William King Date: Sat, 18 May 2013 17:34:16 -0700 Subject: [PATCH] Coverity reported an Uninitialized pointer read. Upon further digging it appears that there is a code path where incoming packets can come in out of order, so this section of code tries to see if it can find the missed packets. As per FS-5202 there is a case where under heavy load the packet exists, and has most of the packet parsed, but still has a NULL pointer for the packet buffer. These two lines would at least help detect the edge case. --- src/mod/applications/mod_spandsp/udptl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/mod/applications/mod_spandsp/udptl.c b/src/mod/applications/mod_spandsp/udptl.c index b560410b7d..7d72cc16e9 100644 --- a/src/mod/applications/mod_spandsp/udptl.c +++ b/src/mod/applications/mod_spandsp/udptl.c @@ -74,6 +74,10 @@ static int decode_open_type(const uint8_t *buf, int limit, int *len, const uint8 if ((*len + octet_cnt) > limit) return -1; + /* Was told the buffer was large enough, but in reality it didn't exist. FS-5202 */ + if ( buf[*len] == NULL ) + return -1; + *pbuf = &buf[*len]; *len += octet_cnt; } @@ -159,7 +163,7 @@ int udptl_rx_packet(udptl_state_t *s, const uint8_t buf[], int len) const uint8_t *data; int msg_len; int repaired[16]; - const uint8_t *bufs[16]; + const uint8_t *bufs[16] = {0}; int lengths[16]; int span; int entries;