[Asterisk-code-review] res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled (asterisk[master])

Kevin Harwell asteriskteam at digium.com
Wed Dec 4 18:03:22 CST 2019 

Kevin Harwell has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/13346 )

Change subject: res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled
......................................................................

res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled

We need to copy the endpoint name before we call ao2_cleanup() on it,
otherwise we might try to access memory that has been reclaimed.

ASTERISK-28445 #close
Reported by: Bernhard Schmidt

Change-Id: I404b952608aa606e0babd3c4108346721fb726b3
---
M res/res_pjsip_session.c
1 file changed, 3 insertions(+), 1 deletion(-)

Approvals:
  Joshua Colp: Looks good to me, but someone else must approve
  Benjamin Keith Ford: Looks good to me, but someone else must approve
  Kevin Harwell: Looks good to me, approved; Approved for Submit



diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index 7373c19..bc01548 100644
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -2150,8 +2150,10 @@
 {
 	struct ast_sip_session *session = obj;
 	struct ast_sip_session_delayed_request *delay;
+
+	/* We dup the endpoint ID in case the endpoint gets freed out from under us */
 	const char *endpoint_name = session->endpoint ?
-		ast_sorcery_object_get_id(session->endpoint) : "<none>";
+		ast_strdupa(ast_sorcery_object_get_id(session->endpoint)) : "<none>";
 
 	ast_debug(3, "Destroying SIP session with endpoint %s\n", endpoint_name);
 

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/13346
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: I404b952608aa606e0babd3c4108346721fb726b3
Gerrit-Change-Number: 13346
Gerrit-PatchSet: 1
Gerrit-Owner: Sean Bright <sean.bright at gmail.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20191204/92c124a2/attachment-0001.html>

More information about the asterisk-code-review mailing list