Save the outgoing address to private variable in queue.cc

This fixes the bug where outgoing address was saved to stack and the msg_name pointer pointed to garbage when flush_queue() was called
2019-07-23 08:49:49 +03:00 · 2019-07-23 08:49:49 +03:00 · 46e0842d1f
parent 8760bd97ce
commit 46e0842d1f
2 changed files with 18 additions and 13 deletions
--- a/src/queue.cc
+++ b/src/queue.cc
@ -18,6 +18,9 @@ kvz_rtp::frame_queue::frame_queue()
    :buf_ptr_(0)
 #endif
 {
+#ifdef __linux__
+    out_addr_.sin_addr.s_addr = 0;
+#endif
 }

 kvz_rtp::frame_queue::~frame_queue()
@ -39,8 +42,8 @@ rtp_error_t kvz_rtp::frame_queue::enqueue_message(
        return RTP_MEMORY_ERROR;
    }

-    /* TODO: this is not valid after return */
-    sockaddr_in out_addr = dynamic_cast<kvz_rtp::writer *>(conn)->get_out_address(); 
+    if (out_addr_.sin_addr.s_addr == 0)
+        out_addr_ = dynamic_cast<kvz_rtp::writer *>(conn)->get_out_address();

    chunks_[chunk_ptr_ + 0].iov_base = header;
    chunks_[chunk_ptr_ + 0].iov_len  = header_len;
@ -48,8 +51,8 @@ rtp_error_t kvz_rtp::frame_queue::enqueue_message(
    chunks_[chunk_ptr_ + 1].iov_base = payload;
    chunks_[chunk_ptr_ + 1].iov_len  = payload_len;

-    messages_[msg_ptr_].msg_name = (void *)&out_addr;
-    messages_[msg_ptr_].msg_namelen = sizeof(out_addr);
+    messages_[msg_ptr_].msg_name = (void *)&out_addr_;
+    messages_[msg_ptr_].msg_namelen = sizeof(out_addr_);
    messages_[msg_ptr_].msg_iov = &chunks_[chunk_ptr_];
    messages_[msg_ptr_].msg_iovlen = 2;
    messages_[msg_ptr_].msg_control = 0;
@ -101,14 +104,14 @@ rtp_error_t kvz_rtp::frame_queue::enqueue_message(
        return RTP_MEMORY_ERROR;
    }

-    /* TODO: this is not valid after return */
-    sockaddr_in out_addr = dynamic_cast<kvz_rtp::writer *>(conn)->get_out_address(); 
+    if (out_addr_.sin_addr.s_addr == 0)
+        out_addr_ = dynamic_cast<kvz_rtp::writer *>(conn)->get_out_address();

    chunks_[chunk_ptr_ + 0].iov_base = message;
    chunks_[chunk_ptr_ + 0].iov_len  = message_len;

-    messages_[msg_ptr_].msg_name = (void *)&out_addr;
-    messages_[msg_ptr_].msg_namelen = sizeof(out_addr);
+    messages_[msg_ptr_].msg_name = (void *)&out_addr_;
+    messages_[msg_ptr_].msg_namelen = sizeof(out_addr_);
    messages_[msg_ptr_].msg_iov = &chunks_[chunk_ptr_];
    messages_[msg_ptr_].msg_iovlen = 1;
    messages_[msg_ptr_].msg_control = 0;
@ -159,11 +162,11 @@ rtp_error_t kvz_rtp::frame_queue::enqueue_message(
        chunks_[chunk_ptr_ + i].iov_base = buffers.at(i).second;
    }

-    /* TODO: this is not valid after return */
-    sockaddr_in out_addr = dynamic_cast<kvz_rtp::writer *>(conn)->get_out_address(); 
+    if (out_addr_.sin_addr.s_addr == 0)
+        out_addr_ = dynamic_cast<kvz_rtp::writer *>(conn)->get_out_address();

-    messages_[msg_ptr_].msg_name = (void *)&out_addr;
-    messages_[msg_ptr_].msg_namelen = sizeof(out_addr);
+    messages_[msg_ptr_].msg_name = (void *)&out_addr_;
+    messages_[msg_ptr_].msg_namelen = sizeof(out_addr_);
    messages_[msg_ptr_].msg_iov = &chunks_[chunk_ptr_];
    messages_[msg_ptr_].msg_iovlen = buffers.size();
    messages_[msg_ptr_].msg_control = 0;
@ -249,7 +252,7 @@ rtp_error_t kvz_rtp::frame_queue::flush_queue(kvz_rtp::connection *conn)
 rtp_error_t kvz_rtp::frame_queue::empty_queue()
 {
 #ifdef __linux__
-    hdr_ptr_ = msg_ptr_ = chunk_ptr_ = 0;
+    hdr_ptr_ = msg_ptr_ = chunk_ptr_ = out_addr_.sin_addr.s_addr = 0;
 #else
    buf_ptr_ = 0;

--- a/src/queue.hh
+++ b/src/queue.hh
@ -69,6 +69,8 @@ namespace kvz_rtp {
    int hdr_ptr_;
    int msg_ptr_;
    int chunk_ptr_;
+
+    sockaddr_in out_addr_;
 #else
    std::vector<uint8_t *> merge_bufs_;
    WSABUF buffers_[MAX_MSG_COUNT];