[Asterisk-code-review] config.c: Prevent UB in ast_realtime_require_field. (asterisk[19])

Tue Nov 30 12:57:56 CST 2021

Kevin Harwell has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/17605 )

Change subject: config.c: Prevent UB in ast_realtime_require_field.
......................................................................

config.c: Prevent UB in ast_realtime_require_field.

A backend's implementation of the realtime 'require' function may call
va_arg() and then fail, leaving the va_list in an undefined
state. Pass a copy of the va_list instead.

ASTERISK-29771 #close

Change-Id: I555565a72af84e96d49f62fe8cb66ba5a78461f4
---
M main/config.c
1 file changed, 5 insertions(+), 2 deletions(-)

Approvals:
  Benjamin Keith Ford: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved
  Kevin Harwell: Approved for Submit

diff --git a/main/config.c b/main/config.c
index 46f05aa..c5e42fa 100644
--- a/main/config.c
+++ b/main/config.c
@@ -3384,16 +3384,19 @@
 	struct ast_config_engine *eng;
 	char db[256];
 	char table[256];
-	va_list ap;
+	va_list ap, aq;
 	int res = -1, i;
 
 	va_start(ap, family);
 	for (i = 1; ; i++) {
 		if ((eng = find_engine(family, i, db, sizeof(db), table, sizeof(table)))) {
+			va_copy(aq, ap);
 			/* If the require succeeds, it returns 0. */
-			if (eng->require_func && !(res = eng->require_func(db, table, ap))) {
+			if (eng->require_func && !(res = eng->require_func(db, table, aq))) {
+				va_end(aq);
 				break;
 			}
+			va_end(aq);
 		} else {
 			break;
 		}

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/17605
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 19
Gerrit-Change-Id: I555565a72af84e96d49f62fe8cb66ba5a78461f4
Gerrit-Change-Number: 17605
Gerrit-PatchSet: 3
Gerrit-Owner: Sean Bright <sean at seanbright.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20211130/d7315d83/attachment-0001.html>
