[asterisk-bugs] [JIRA] (ASTERISK-28572) Memory leak in function exchangecal_destructor in res/res_calendar_exchange.c and icalendar_destructor in res/res_calendar_icalendar.c
Benjamin Keith Ford (JIRA)
noreply at issues.asterisk.org
Mon Oct 7 09:32:48 CDT 2019
[ https://issues.asterisk.org/jira/browse/ASTERISK-28572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=248273#comment-248273 ]
Benjamin Keith Ford commented on ASTERISK-28572:
------------------------------------------------
This does look like "ne_uri" is never freed - opening up an internal issue for this.
> Memory leak in function exchangecal_destructor in res/res_calendar_exchange.c and icalendar_destructor in res/res_calendar_icalendar.c
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-28572
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28572
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_calendar_exchange, Resources/res_calendar_icalendar
> Affects Versions: 16.6.0
> Environment: No
> Reporter: Yoooooo Ha
>
> ####################################
> struct exchangecal_pvt {
> AST_DECLARE_STRING_FIELDS(
> AST_STRING_FIELD(url);
> AST_STRING_FIELD(user);
> AST_STRING_FIELD(secret);
> );
> struct ast_calendar *owner;
> ne_uri uri;
> ne_session *session;
> struct ao2_container *events;
> };
> static void exchangecal_destructor(void *obj)
> {
> struct exchangecal_pvt *pvt = obj;
> ast_debug(1, "Destroying pvt for Exchange calendar %s\n",
> pvt->owner->name);
> if (pvt->session) {
> ne_session_destroy(pvt->session);
> }
> ast_string_field_free_memory(pvt);
> ao2_callback(pvt->events, OBJ_UNLINK | OBJ_NODATA |
> OBJ_MULTIPLE, NULL, NULL);
> ao2_ref(pvt->events, -1);
> }
> ####################################
> ####################################
> struct icalendar_pvt {
> AST_DECLARE_STRING_FIELDS(
> AST_STRING_FIELD(url);
> AST_STRING_FIELD(user);
> AST_STRING_FIELD(secret);
> );
> struct ast_calendar *owner;
> ne_uri uri;
> ne_session *session;
> icalcomponent *data;
> struct ao2_container *events;
> };
> static void icalendar_destructor(void *obj)
> {
> struct icalendar_pvt *pvt = obj;
> ast_debug(1, "Destroying pvt for iCalendar %s\n",
> pvt->owner->name);
> if (pvt->session) {
> ne_session_destroy(pvt->session);
> }
> if (pvt->data) {
> icalcomponent_free(pvt->data);
> }
> ast_string_field_free_memory(pvt);
> ao2_callback(pvt->events, OBJ_UNLINK | OBJ_NODATA |
> OBJ_MULTIPLE, NULL, NULL);
> ao2_ref(pvt->events, -1);
> }
> ####################################
> As we can see, the object uri is not freed in these two functions.
> The vulnerability is same as the one fixed in
> https://gerrit.asterisk.org/c/asterisk/+/6509
> (https://issues.asterisk.org/jira/browse/ASTERISK-25524)
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list