[asterisk-commits] kpfleming: branch 1.8 r327950 - /branches/1.8/main/manager.c

[SVN commits to the Asterisk project]

Author: kpfleming
Date: Tue Jul 12 17:53:53 2011
New Revision: 327950

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=327950
Log:
Correct double-free situation in manager output processing.

The process_output() function calls ast_str_append() and xml_translate() on its
'out' parameter, which is a pointer to an ast_str buffer. If either of these
functions need to reallocate the ast_str so it will have more space, they will
free the existing buffer and allocate a new one, returning the address of the
new one. However, because process_output only receives a pointer to the ast_str,
not a pointer to its caller's variable holding the pointer, if the original
ast_str is freed, the caller will not know, and will continue to use it (and
later attempt to free it).

(reported by jkroon on #asterisk-dev)


Modified:
    branches/1.8/main/manager.c

Modified: branches/1.8/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/manager.c?view=diff&rev=327950&r1=327949&r2=327950
==============================================================================
--- branches/1.8/main/manager.c (original)
+++ branches/1.8/main/manager.c Tue Jul 12 17:53:53 2011
@@ -5474,7 +5474,7 @@
 	}
 }
 
-static void process_output(struct mansession *s, struct ast_str *out, struct ast_variable *params, enum output_format format)
+static void process_output(struct mansession *s, struct ast_str **out, struct ast_variable *params, enum output_format format)
 {
 	char *buf;
 	size_t l;
@@ -5491,14 +5491,14 @@
 			ast_log(LOG_WARNING, "mmap failed.  Manager output was not processed\n");
 		} else {
 			if (format == FORMAT_XML || format == FORMAT_HTML) {
-				xml_translate(&out, buf, params, format);
+				xml_translate(out, buf, params, format);
 			} else {
-				ast_str_append(&out, 0, "%s", buf);
+				ast_str_append(out, 0, "%s", buf);
 			}
 			munmap(buf, l);
 		}
 	} else if (format == FORMAT_XML || format == FORMAT_HTML) {
-		xml_translate(&out, "", params, format);
+		xml_translate(out, "", params, format);
 	}
 
 	fclose(s->f);
@@ -5656,7 +5656,7 @@
 		ast_str_append(&out, 0, ROW_FMT, TEST_STRING);
 	}
 
-	process_output(&s, out, params, format);
+	process_output(&s, &out, params, format);
 
 	if (format == FORMAT_XML) {
 		ast_str_append(&out, 0, "</ajax-response>\n");
@@ -5968,7 +5968,7 @@
 		"<input type=\"submit\" value=\"Send request\" /></th></tr>\r\n");
 	}
 
-	process_output(&s, out, params, format);
+	process_output(&s, &out, params, format);
 
 	if (format == FORMAT_XML) {
 		ast_str_append(&out, 0, "</ajax-response>\n");