[asterisk-commits] file: branch 1.6.0 r113299 - /branches/1.6.0/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Tue Apr 8 10:10:06 CDT 2008
Author: file
Date: Tue Apr 8 10:10:05 2008
New Revision: 113299
URL: http://svn.digium.com/view/asterisk?view=rev&rev=113299
Log:
Blocked revisions 112874 via svnmerge
........
r112874 | murf | 2008-04-04 22:33:13 -0300 (Fri, 04 Apr 2008) | 15 lines
Found a little problem with the sip request handling that could lead to a quick crash of asterisk, and a road to a DOS attack if left unfixed.
Attaching to a running asterisk with "telnet hostname 5060", I would input "something", then hit return three times, and asterisk crashes.
I traced it to handle_request_do(), which zeroes out the data (an ast_str ptr) if the string is too short.
Instead of freeing the struct and nulling the pointer, it now just resets it, because this
ast_str is expected by the calling routine to still be there after handle_request_do() returns.
This appears to fix the crash. I assume that it was introduced with ast_str's being adopted. It's a subtle and easy-to-miss sort of problem.
I also found all the places where the req.data is freed, and made sure the ptr is Nulled out as well;
no good leaving bad ptrs laying around-- I didn't need to do this, but it seemed a good thing to do...
........
Modified:
branches/1.6.0/ (props changed)
Propchange: branches/1.6.0/
------------------------------------------------------------------------------
Binary property 'trunk-blocked' - no diff available.
More information about the asterisk-commits
mailing list