[asterisk-commits] mjordan: branch 10 r368947 - /branches/10/channels/chan_skinny.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Jun 14 12:31:37 CDT 2012 

Author: mjordan
Date: Thu Jun 14 12:31:33 2012
New Revision: 368947

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=368947
Log:
AST-2012-009: Fix crash in chan_skinny due to Key Pad Button Message handling

AST-2012-008 (r367844) fixed a denial of service attack exploitable in the
Skinny channel driver that occurred when certain messages are sent after a
previously registered station sends an Off Hook message.  Unresolved in that
patch is an issue in the Asterisk 10 releases, wherein, if a Station Key
Pad Button Message is processed after an Off Hook message, the channel driver
will inappropriately dereference a NULL pointer.

This patch fixes those places where the message handling or the channel
callback functions would attempt to dereference the line's pointer to the
device.

(issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Christoph Hebeisen
Patches:
  AST-2012-009-10.diff uploaded by mjordan (license 6283)



Modified:
    branches/10/channels/chan_skinny.c

Modified: branches/10/channels/chan_skinny.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/chan_skinny.c?view=diff&rev=368947&r1=368946&r2=368947
==============================================================================
--- branches/10/channels/chan_skinny.c (original)
+++ branches/10/channels/chan_skinny.c Thu Jun 14 12:31:33 2012
@@ -4976,6 +4976,11 @@
 	pthread_t t;
 	int actualstate = state;
 
+	if (!l->device) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return;
+	}
+
 	if (sub->substate == SUBSTATE_ONHOOK) {
 		return;
 	}
@@ -5365,15 +5370,20 @@
 	struct skinny_subchannel *activatesub = NULL;
 	struct skinny_subchannel *tsub;
 
+	if (!l->device) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return;
+	}
+
 	if (skinnydebug) {
 		ast_verb(3, "Sub %d - Dumping\n", sub->callid);
 	}
-	
+
 	if (!forcehangup && sub->substate == SUBSTATE_HOLD) {
 		l->activesub = NULL;
 		return;
 	}
-	
+
 	if (sub == l->activesub) {
 		d->hookstate = SKINNY_ONHOOK;
 		transmit_speaker_mode(d, SKINNY_SPEAKEROFF);

More information about the asterisk-commits mailing list