Astobj2: Correctly treat hash_fn returning INT_MIN

The code in astobj2_hash.c wrongly assumed that abs(int) is always > 0. However, abs(INT_MIN) = INT_MIN and is still negative, as well as abs(INT_MIN) % num_buckets, and as a result this led to a crash. One way to trigger the bug is using host=::80 or 0.0.0.128 in peer configuration section in chan_sip or chan_iax. This patch takes the remainder before applying abs, so that bucket number is always in range. ASTERISK-25100 #close Reported by: Mark Petersen Change-Id: Id6981400ad526f47e10bcf7b847b62bd2785e899
10 years ago · 97a6ce1717
parent b9826bf101
commit 97a6ce1717
1 changed files with 5 additions and 6 deletions
--- a/main/astobj2_hash.c
+++ b/main/astobj2_hash.c
@ -235,8 +235,7 @@ static struct hash_bucket_node *hash_ao2_new_node(struct ao2_container_hash *sel
 		return NULL;
 	}

-	i = abs(self->hash_fn(obj_new, OBJ_SEARCH_OBJECT));
-	i %= self->n_buckets;
+	i = abs(self->hash_fn(obj_new, OBJ_SEARCH_OBJECT) % self->n_buckets);

 	if (tag) {
 		__ao2_ref_debug(obj_new, +1, tag, file, line, func);
@ -386,8 +385,8 @@ static struct hash_bucket_node *hash_ao2_find_first(struct ao2_container_hash *s
 	case OBJ_SEARCH_OBJECT:
 	case OBJ_SEARCH_KEY:
 		/* we know hash can handle this case */
-		bucket_cur = abs(self->hash_fn(arg, flags & OBJ_SEARCH_MASK));
-		bucket_cur %= self->n_buckets;
+		bucket_cur = abs(self->hash_fn(arg, flags & OBJ_SEARCH_MASK)
+				% self->n_buckets);
 		state->sort_fn = self->common.sort_fn;
 		break;
 	case OBJ_SEARCH_PARTIAL_KEY:
@ -984,8 +983,8 @@ static int hash_ao2_integrity(struct ao2_container_hash *self)
 			++count_obj;

 			/* Check container hash key for expected bucket. */
-			bucket_exp = abs(self->hash_fn(node->common.obj, OBJ_SEARCH_OBJECT));
-			bucket_exp %= self->n_buckets;
+			bucket_exp = abs(self->hash_fn(node->common.obj, OBJ_SEARCH_OBJECT)
+					% self->n_buckets);
 			if (bucket != bucket_exp) {
 				ast_log(LOG_ERROR, "Bucket %d node hashes to bucket %d!\n",
 					bucket, bucket_exp);