[asterisk-commits] mjordan: trunk r368948 - in /trunk: ./ channels/chan_skinny.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Jun 14 12:34:13 CDT 2012 

Author: mjordan
Date: Thu Jun 14 12:34:10 2012
New Revision: 368948

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=368948
Log:
AST-2012-009: Fix crash in chan_skinny due to Key Pad Button Message handling

AST-2012-008 (r367844) fixed a denial of service attack exploitable in the
Skinny channel driver that occurred when certain messages are sent after a
previously registered station sends an Off Hook message.  Unresolved in that
patch is an issue in the Asterisk 10 releases, wherein, if a Station Key
Pad Button Message is processed after an Off Hook message, the channel driver
will inappropriately dereference a NULL pointer.

This patch fixes those places where the message handling or the channel
callback functions would attempt to dereference the line's pointer to the
device.

(issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Christoph Hebeisen
Patches:
  AST-2012-009-10.diff uploaded by mjordan (license 6283)
........

Merged revisions 368947 from http://svn.asterisk.org/svn/asterisk/branches/10

Modified:
    trunk/   (props changed)
    trunk/channels/chan_skinny.c

Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-10-merged' - no diff available.

Modified: trunk/channels/chan_skinny.c
URL: http://svnview.digium.com/svn/asterisk/trunk/channels/chan_skinny.c?view=diff&rev=368948&r1=368947&r2=368948
==============================================================================
--- trunk/channels/chan_skinny.c (original)
+++ trunk/channels/chan_skinny.c Thu Jun 14 12:34:10 2012
@@ -5011,6 +5011,11 @@
 	pthread_t t;
 	int actualstate = state;
 
+	if (!l->device) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return;
+	}
+
 	if (sub->substate == SUBSTATE_ONHOOK) {
 		return;
 	}
@@ -5403,15 +5408,20 @@
 	struct skinny_subchannel *activate_sub = NULL;
 	struct skinny_subchannel *tsub;
 
+	if (!l->device) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return;
+	}
+
 	if (skinnydebug) {
 		ast_verb(3, "Sub %d - Dumping\n", sub->callid);
 	}
-	
+
 	if (!forcehangup && sub->substate == SUBSTATE_HOLD) {
 		l->activesub = NULL;
 		return;
 	}
-	
+
 	if (sub == l->activesub) {
 		d->hookstate = SKINNY_ONHOOK;
 		transmit_speaker_mode(d, SKINNY_SPEAKEROFF);

More information about the asterisk-commits mailing list