[asterisk-bugs] [JIRA] (ASTERISK-28572) Memory leaks in res_calendar_exchange and res_calendar_icalendar

Mon Oct 7 10:17:47 CDT 2019

     [ https://issues.asterisk.org/jira/browse/ASTERISK-28572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Mudgett updated ASTERISK-28572:
---------------------------------------

    Description: 
Edit:
exchangecal_destructor in res/res_calendar_exchange.c
icalendar_destructor in res/res_calendar_icalendar.c

{code}
struct exchangecal_pvt {
         AST_DECLARE_STRING_FIELDS(
                 AST_STRING_FIELD(url);
                 AST_STRING_FIELD(user);
                 AST_STRING_FIELD(secret);
         );
         struct ast_calendar *owner;
         ne_uri uri;
         ne_session *session;
         struct ao2_container *events;
};
static void exchangecal_destructor(void *obj)
{
         struct exchangecal_pvt *pvt = obj;

         ast_debug(1, "Destroying pvt for Exchange calendar %s\n", 
pvt->owner->name);
         if (pvt->session) {
                 ne_session_destroy(pvt->session);
         }
         ast_string_field_free_memory(pvt);

         ao2_callback(pvt->events, OBJ_UNLINK | OBJ_NODATA | 
OBJ_MULTIPLE, NULL, NULL);

         ao2_ref(pvt->events, -1);
}
{code}

{code}
struct icalendar_pvt {
         AST_DECLARE_STRING_FIELDS(
                 AST_STRING_FIELD(url);
                 AST_STRING_FIELD(user);
                 AST_STRING_FIELD(secret);
         );
         struct ast_calendar *owner;
         ne_uri uri;
         ne_session *session;
         icalcomponent *data;
         struct ao2_container *events;
};
static void icalendar_destructor(void *obj)
{
         struct icalendar_pvt *pvt = obj;

         ast_debug(1, "Destroying pvt for iCalendar %s\n", 
pvt->owner->name);
         if (pvt->session) {
                 ne_session_destroy(pvt->session);
         }
         if (pvt->data) {
                 icalcomponent_free(pvt->data);
         }
         ast_string_field_free_memory(pvt);

         ao2_callback(pvt->events, OBJ_UNLINK | OBJ_NODATA | 
OBJ_MULTIPLE, NULL, NULL);

         ao2_ref(pvt->events, -1);
}
{code}

As we can see, the object uri is not freed in these two functions.
The vulnerability is same as the one fixed in 
https://gerrit.asterisk.org/c/asterisk/+/6509 
(ASTERISK-25524)

  was:
Edit:
exchangecal_destructor in res/res_calendar_exchange.c
icalendar_destructor in res/res_calendar_icalendar.c

####################################
struct exchangecal_pvt {
         AST_DECLARE_STRING_FIELDS(
                 AST_STRING_FIELD(url);
                 AST_STRING_FIELD(user);
                 AST_STRING_FIELD(secret);
         );
         struct ast_calendar *owner;
         ne_uri uri;
         ne_session *session;
         struct ao2_container *events;
};
static void exchangecal_destructor(void *obj)
{
         struct exchangecal_pvt *pvt = obj;

         ast_debug(1, "Destroying pvt for Exchange calendar %s\n", 
pvt->owner->name);
         if (pvt->session) {
                 ne_session_destroy(pvt->session);
         }
         ast_string_field_free_memory(pvt);

         ao2_callback(pvt->events, OBJ_UNLINK | OBJ_NODATA | 
OBJ_MULTIPLE, NULL, NULL);

         ao2_ref(pvt->events, -1);
}
####################################

####################################
struct icalendar_pvt {
         AST_DECLARE_STRING_FIELDS(
                 AST_STRING_FIELD(url);
                 AST_STRING_FIELD(user);
                 AST_STRING_FIELD(secret);
         );
         struct ast_calendar *owner;
         ne_uri uri;
         ne_session *session;
         icalcomponent *data;
         struct ao2_container *events;
};
static void icalendar_destructor(void *obj)
{
         struct icalendar_pvt *pvt = obj;

         ast_debug(1, "Destroying pvt for iCalendar %s\n", 
pvt->owner->name);
         if (pvt->session) {
                 ne_session_destroy(pvt->session);
         }
         if (pvt->data) {
                 icalcomponent_free(pvt->data);
         }
         ast_string_field_free_memory(pvt);

         ao2_callback(pvt->events, OBJ_UNLINK | OBJ_NODATA | 
OBJ_MULTIPLE, NULL, NULL);

         ao2_ref(pvt->events, -1);
}
####################################

As we can see, the object uri is not freed in these two functions.
The vulnerability is same as the one fixed in 
https://gerrit.asterisk.org/c/asterisk/+/6509 
(https://issues.asterisk.org/jira/browse/ASTERISK-25524)

> Memory leaks in res_calendar_exchange and res_calendar_icalendar
> ----------------------------------------------------------------
>
>                 Key: ASTERISK-28572
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28572
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_calendar_exchange, Resources/res_calendar_icalendar
>    Affects Versions: 16.6.0
>         Environment: No
>            Reporter: Yoooooo Ha
>
> Edit:
> exchangecal_destructor in res/res_calendar_exchange.c
> icalendar_destructor in res/res_calendar_icalendar.c
> {code}
> struct exchangecal_pvt {
>          AST_DECLARE_STRING_FIELDS(
>                  AST_STRING_FIELD(url);
>                  AST_STRING_FIELD(user);
>                  AST_STRING_FIELD(secret);
>          );
>          struct ast_calendar *owner;
>          ne_uri uri;
>          ne_session *session;
>          struct ao2_container *events;
> };
> static void exchangecal_destructor(void *obj)
> {
>          struct exchangecal_pvt *pvt = obj;
>          ast_debug(1, "Destroying pvt for Exchange calendar %s\n", 
> pvt->owner->name);
>          if (pvt->session) {
>                  ne_session_destroy(pvt->session);
>          }
>          ast_string_field_free_memory(pvt);
>          ao2_callback(pvt->events, OBJ_UNLINK | OBJ_NODATA | 
> OBJ_MULTIPLE, NULL, NULL);
>          ao2_ref(pvt->events, -1);
> }
> {code}
> {code}
> struct icalendar_pvt {
>          AST_DECLARE_STRING_FIELDS(
>                  AST_STRING_FIELD(url);
>                  AST_STRING_FIELD(user);
>                  AST_STRING_FIELD(secret);
>          );
>          struct ast_calendar *owner;
>          ne_uri uri;
>          ne_session *session;
>          icalcomponent *data;
>          struct ao2_container *events;
> };
> static void icalendar_destructor(void *obj)
> {
>          struct icalendar_pvt *pvt = obj;
>          ast_debug(1, "Destroying pvt for iCalendar %s\n", 
> pvt->owner->name);
>          if (pvt->session) {
>                  ne_session_destroy(pvt->session);
>          }
>          if (pvt->data) {
>                  icalcomponent_free(pvt->data);
>          }
>          ast_string_field_free_memory(pvt);
>          ao2_callback(pvt->events, OBJ_UNLINK | OBJ_NODATA | 
> OBJ_MULTIPLE, NULL, NULL);
>          ao2_ref(pvt->events, -1);
> }
> {code}
> As we can see, the object uri is not freed in these two functions.
> The vulnerability is same as the one fixed in 
> https://gerrit.asterisk.org/c/asterisk/+/6509 
> (ASTERISK-25524)

--
This message was sent by Atlassian JIRA
(v6.2#6252)