[asterisk-commits] file: branch 11 r429270 - in /branches/11: channels/ res/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Dec 10 07:30:26 CST 2014
Author: file
Date: Wed Dec 10 07:30:22 2014
New Revision: 429270
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=429270
Log:
res_http_websocket: Fix crash due to double freeing memory when receiving a payload length of zero.
Frames with a payload length of 0 were incorrectly handled in res_http_websocket.
Provided a frame with a payload had been received prior it was possible for a double
free to occur. The realloc operation would succeed (thus freeing the payload) but be
treated as an error. When the session was then torn down the payload would be
freed again causing a crash. The read function now takes this into account.
This change also fixes assumptions made by users of res_http_websocket. There is no
guarantee that a frame received from it will be NULL terminated.
ASTERISK-24472 #close
Reported by: Badalian Vyacheslav
Review: https://reviewboard.asterisk.org/r/4220/
Review: https://reviewboard.asterisk.org/r/4219/
Modified:
branches/11/channels/chan_sip.c
branches/11/res/res_http_websocket.c
Modified: branches/11/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/branches/11/channels/chan_sip.c?view=diff&rev=429270&r1=429269&r2=429270
==============================================================================
--- branches/11/channels/chan_sip.c (original)
+++ branches/11/channels/chan_sip.c Wed Dec 10 07:30:22 2014
@@ -2596,12 +2596,16 @@
if (opcode == AST_WEBSOCKET_OPCODE_TEXT || opcode == AST_WEBSOCKET_OPCODE_BINARY) {
struct sip_request req = { 0, };
+ char data[payload_len + 1];
if (!(req.data = ast_str_create(payload_len + 1))) {
goto end;
}
- if (ast_str_set(&req.data, -1, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
+ strncpy(data, payload, payload_len);
+ data[payload_len] = '\0';
+
+ if (ast_str_set(&req.data, -1, "%s", data) == AST_DYNSTR_BUILD_FAILED) {
deinit_req(&req);
goto end;
}
Modified: branches/11/res/res_http_websocket.c
URL: http://svnview.digium.com/svn/asterisk/branches/11/res/res_http_websocket.c?view=diff&rev=429270&r1=429269&r2=429270
==============================================================================
--- branches/11/res/res_http_websocket.c (original)
+++ branches/11/res/res_http_websocket.c Wed Dec 10 07:30:22 2014
@@ -462,14 +462,6 @@
}
}
- if (!(new_payload = ast_realloc(session->payload, (session->payload_len + *payload_len)))) {
- ast_log(LOG_WARNING, "Failed allocation: %p, %zu, %"PRIu64"\n",
- session->payload, session->payload_len, *payload_len);
- *payload_len = 0;
- ast_websocket_close(session, 1009);
- return 0;
- }
-
/* Per the RFC for PING we need to send back an opcode with the application data as received */
if ((*opcode == AST_WEBSOCKET_OPCODE_PING) && (ast_websocket_write(session, AST_WEBSOCKET_OPCODE_PONG, *payload, *payload_len))) {
*payload_len = 0;
@@ -477,9 +469,22 @@
return 0;
}
- session->payload = new_payload;
- memcpy((session->payload + session->payload_len), (*payload), (*payload_len));
- session->payload_len += *payload_len;
+ if (*payload_len) {
+ if (!(new_payload = ast_realloc(session->payload, (session->payload_len + *payload_len)))) {
+ ast_log(LOG_WARNING, "Failed allocation: %p, %zu, %"PRIu64"\n",
+ session->payload, session->payload_len, *payload_len);
+ *payload_len = 0;
+ ast_websocket_close(session, 1009);
+ return 0;
+ }
+
+ session->payload = new_payload;
+ memcpy((session->payload + session->payload_len), (*payload), (*payload_len));
+ session->payload_len += *payload_len;
+ } else if (!session->payload_len && session->payload) {
+ ast_free(session->payload);
+ session->payload = NULL;
+ }
if (!fin && session->reconstruct && (session->payload_len < session->reconstruct)) {
/* If this is not a final message we need to defer returning it until later */
More information about the asterisk-commits
mailing list