[asterisk-commits] file: branch 1.6.0 r113299 - /branches/1.6.0/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Tue Apr 8 10:10:06 CDT 2008

Author: file
Date: Tue Apr  8 10:10:05 2008
New Revision: 113299

URL: http://svn.digium.com/view/asterisk?view=rev&rev=113299
Blocked revisions 112874 via svnmerge

r112874 | murf | 2008-04-04 22:33:13 -0300 (Fri, 04 Apr 2008) | 15 lines

Found a little problem with the sip request handling that could lead to a quick crash of asterisk, and a road to a DOS attack if left unfixed.

Attaching to a running asterisk with "telnet hostname 5060", I would input "something", then hit return three times, and asterisk crashes.

I traced it to handle_request_do(), which zeroes out the data (an ast_str ptr) if the string is too short. 
Instead of freeing the struct and nulling the pointer, it now just resets it, because this 
ast_str is expected by the calling routine to still be there after handle_request_do() returns.

This appears to fix the crash. I assume that it was introduced with ast_str's being adopted.  It's a subtle and easy-to-miss sort of problem.

I also found all the places where the req.data is freed, and made sure the ptr is Nulled out as well; 
no good leaving bad ptrs laying around-- I didn't need to do this, but it seemed a good thing to do...


    branches/1.6.0/   (props changed)

Propchange: branches/1.6.0/
Binary property 'trunk-blocked' - no diff available.

More information about the asterisk-commits mailing list