[asterisk-bugs] [JIRA] (ASTERISK-27225) Crash when freeing dtls_cfg->cafile

Richard Kenner (JIRA) noreply at issues.asterisk.org
Tue Aug 29 14:53:07 CDT 2017


    [ https://issues.asterisk.org/jira/browse/ASTERISK-27225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=238306#comment-238306 ] 

Richard Kenner commented on ASTERISK-27225:
-------------------------------------------

I just had another occurrence of this crash.  It occurred after a "sip reload".  It doesn't occur after every "sip reload", but did another time.  This still had a condition where "cafile" wasn't found.

And I think I see the bug.  We have this code, where I've remove details for clarify:

                ast_free(dtls_cfg->cafile);
                if (...) {
                        ast_log(...);
                        return -1;
                }
                dtls_cfg->cafile = ast_strdup(value);

Don't we have to clear dtls_cfg->cafile after freeing it to prevent a double free if the code returns?

> Crash when freeing dtls_cfg->cafile
> -----------------------------------
>
>                 Key: ASTERISK-27225
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27225
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/RTP
>    Affects Versions: 14.6.0
>         Environment: CentOS 7
>            Reporter: Richard Kenner
>            Assignee: Unassigned
>            Severity: Critical
>
> I got crash in free() from:
> #4  0x000000000059f1b0 in ast_rtp_dtls_cfg_free (
>     dtls_cfg=dtls_cfg at entry=0x1cbd6b8) at rtp_engine.c:2781
> 2781            ast_free(dtls_cfg->cafile);
> (gdb) print dtls_cfg->cafile
> $1 = 0x1cbe880 ""
> This looks like it's trying to free something that wasn't malloc'ed.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list