[asterisk-commits] kpfleming: trunk r327953 - in /trunk: ./ main/manager.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Tue Jul 12 18:02:35 CDT 2011 

Author: kpfleming
Date: Tue Jul 12 18:02:31 2011
New Revision: 327953

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=327953
Log:
Merged revisions 327950 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/branches/1.8

........
  r327950 | kpfleming | 2011-07-12 17:53:53 -0500 (Tue, 12 Jul 2011) | 14 lines
  
  Correct double-free situation in manager output processing.
  
  The process_output() function calls ast_str_append() and xml_translate() on its
  'out' parameter, which is a pointer to an ast_str buffer. If either of these
  functions need to reallocate the ast_str so it will have more space, they will
  free the existing buffer and allocate a new one, returning the address of the
  new one. However, because process_output only receives a pointer to the ast_str,
  not a pointer to its caller's variable holding the pointer, if the original
  ast_str is freed, the caller will not know, and will continue to use it (and
  later attempt to free it).
  
  (reported by jkroon on #asterisk-dev)
........

Modified:
    trunk/   (props changed)
    trunk/main/manager.c

Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.

Modified: trunk/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/trunk/main/manager.c?view=diff&rev=327953&r1=327952&r2=327953
==============================================================================
--- trunk/main/manager.c (original)
+++ trunk/main/manager.c Tue Jul 12 18:02:31 2011
@@ -5621,7 +5621,7 @@
 	}
 }
 
-static void process_output(struct mansession *s, struct ast_str *out, struct ast_variable *params, enum output_format format)
+static void process_output(struct mansession *s, struct ast_str **out, struct ast_variable *params, enum output_format format)
 {
 	char *buf;
 	size_t l;
@@ -5638,14 +5638,14 @@
 			ast_log(LOG_WARNING, "mmap failed.  Manager output was not processed\n");
 		} else {
 			if (format == FORMAT_XML || format == FORMAT_HTML) {
-				xml_translate(&out, buf, params, format);
+				xml_translate(out, buf, params, format);
 			} else {
-				ast_str_append(&out, 0, "%s", buf);
+				ast_str_append(out, 0, "%s", buf);
 			}
 			munmap(buf, l);
 		}
 	} else if (format == FORMAT_XML || format == FORMAT_HTML) {
-		xml_translate(&out, "", params, format);
+		xml_translate(out, "", params, format);
 	}
 
 	fclose(s->f);
@@ -5803,7 +5803,7 @@
 		ast_str_append(&out, 0, ROW_FMT, TEST_STRING);
 	}
 
-	process_output(&s, out, params, format);
+	process_output(&s, &out, params, format);
 
 	if (format == FORMAT_XML) {
 		ast_str_append(&out, 0, "</ajax-response>\n");
@@ -6115,7 +6115,7 @@
 		"<input type=\"submit\" value=\"Send request\" /></th></tr>\r\n");
 	}
 
-	process_output(&s, out, params, format);
+	process_output(&s, &out, params, format);
 
 	if (format == FORMAT_XML) {
 		ast_str_append(&out, 0, "</ajax-response>\n");

More information about the asterisk-commits mailing list