[asterisk-commits] mjordan: branch certified-11.6 r405578 - in /certified/branches/11.6: ./ main/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Jan 15 09:27:38 CST 2014
Author: mjordan
Date: Wed Jan 15 09:27:36 2014
New Revision: 405578
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=405578
Log:
pbx.c: put copy of ast_exten.data on stack to prevent memory corruption
During dialplan execution in pbx_extension_helper(), the contexts global
read lock prevents link list corruption, but was released with a pointer
to the ast_exten and data later used in variable substitution. Instead,
this patch removes pbx_substitute_variables() and locates a copy of the
ast_exten data on the stack before releasing the lock, where ast_exten
could get free'd by another thread performing a module reload.
(issue AST-1179)
Reported by: Thomas Arimont
(issue AST-1246)
Reported by: Alexander Hömig
Review: https://reviewboard.asterisk.org/r/3055/
........
Merged revisions 403862 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 403863 from http://svn.asterisk.org/svn/asterisk/branches/11
Modified:
certified/branches/11.6/ (props changed)
certified/branches/11.6/main/pbx.c
Propchange: certified/branches/11.6/
------------------------------------------------------------------------------
--- branch-11-merged (original)
+++ branch-11-merged Wed Jan 15 09:27:36 2014
@@ -1,1 +1,1 @@
-/branches/11:396884,399513,400075-400093,401446,401960,402450,403917,404344,405215,405380,405431
+/branches/11:396884,399513,400075-400093,401446,401960,402450,403863,403917,404344,405215,405380,405431
Modified: certified/branches/11.6/main/pbx.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/11.6/main/pbx.c?view=diff&rev=405578&r1=405577&r2=405578
==============================================================================
--- certified/branches/11.6/main/pbx.c (original)
+++ certified/branches/11.6/main/pbx.c Wed Jan 15 09:27:36 2014
@@ -4805,25 +4805,6 @@
pbx_substitute_variables_helper_full(NULL, headp, cp1, cp2, count, &used);
}
-static void pbx_substitute_variables(char *passdata, int datalen, struct ast_channel *c, struct ast_exten *e)
-{
- const char *tmp;
-
- /* Nothing more to do */
- if (!e->data) {
- *passdata = '\0';
- return;
- }
-
- /* No variables or expressions in e->data, so why scan it? */
- if ((!(tmp = strchr(e->data, '$'))) || (!strstr(tmp, "${") && !strstr(tmp, "$["))) {
- ast_copy_string(passdata, e->data, datalen);
- return;
- }
-
- pbx_substitute_variables_helper(c, e->data, passdata, datalen - 1);
-}
-
/*!
* \brief The return value depends on the action:
*
@@ -4848,6 +4829,7 @@
{
struct ast_exten *e;
struct ast_app *app;
+ char *substitute = NULL;
int res;
struct pbx_find_info q = { .stacklen = 0 }; /* the rest is reset in pbx_find_extension */
char passdata[EXT_DATA_SIZE];
@@ -4873,6 +4855,18 @@
if (!e->cached_app)
e->cached_app = pbx_findapp(e->app);
app = e->cached_app;
+ if (ast_strlen_zero(e->data)) {
+ *passdata = '\0';
+ } else {
+ const char *tmp;
+ if ((!(tmp = strchr(e->data, '$'))) || (!strstr(tmp, "${") && !strstr(tmp, "$["))) {
+ /* no variables to substitute, copy on through */
+ ast_copy_string(passdata, e->data, sizeof(passdata));
+ } else {
+ /* save e->data on stack for later processing after lock released */
+ substitute = ast_strdupa(e->data);
+ }
+ }
ast_unlock_contexts();
if (!app) {
ast_log(LOG_WARNING, "No application '%s' for extension (%s, %s, %d)\n", e->app, context, exten, priority);
@@ -4883,7 +4877,9 @@
if (ast_channel_exten(c) != exten)
ast_channel_exten_set(c, exten);
ast_channel_priority_set(c, priority);
- pbx_substitute_variables(passdata, sizeof(passdata), c, e);
+ if (substitute) {
+ pbx_substitute_variables_helper(c, substitute, passdata, sizeof(passdata)-1);
+ }
#ifdef CHANNEL_TRACE
ast_channel_trace_update(c);
#endif
More information about the asterisk-commits
mailing list