[asterisk-bugs] [JIRA] (ASTERISK-27225) Crash when freeing dtls_cfg->cafile
Richard Kenner (JIRA)
noreply at issues.asterisk.org
Tue Aug 29 14:53:07 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-27225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=238306#comment-238306 ]
Richard Kenner commented on ASTERISK-27225:
-------------------------------------------
I just had another occurrence of this crash. It occurred after a "sip reload". It doesn't occur after every "sip reload", but did another time. This still had a condition where "cafile" wasn't found.
And I think I see the bug. We have this code, where I've remove details for clarify:
ast_free(dtls_cfg->cafile);
if (...) {
ast_log(...);
return -1;
}
dtls_cfg->cafile = ast_strdup(value);
Don't we have to clear dtls_cfg->cafile after freeing it to prevent a double free if the code returns?
> Crash when freeing dtls_cfg->cafile
> -----------------------------------
>
> Key: ASTERISK-27225
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27225
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/RTP
> Affects Versions: 14.6.0
> Environment: CentOS 7
> Reporter: Richard Kenner
> Assignee: Unassigned
> Severity: Critical
>
> I got crash in free() from:
> #4 0x000000000059f1b0 in ast_rtp_dtls_cfg_free (
> dtls_cfg=dtls_cfg at entry=0x1cbd6b8) at rtp_engine.c:2781
> 2781 ast_free(dtls_cfg->cafile);
> (gdb) print dtls_cfg->cafile
> $1 = 0x1cbe880 ""
> This looks like it's trying to free something that wasn't malloc'ed.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list