[asterisk-dev] tilghman: trunk r123648 - /trunk/apps/app_dial.c
Russell Bryant
russell at digium.com
Wed Jun 18 13:31:54 CDT 2008
Tilghman Lesher wrote:
>> Oh, I guess you're right. I knew the ast_change_name() API call existed
>> in Asterisk 1.4, but it's not used anywhere in the code.
>>
>> However, there is at least one place that I can think of where the name
>> of the channel changes that could potentially exploit this race
>> condition. That is in ast_do_masquerade, when <ZOMBIE> gets appended to
>> the channel name.
>
> I'm not sure why that would make a difference here. This changeset was all
> about channel variables, which is not where the channel name is stored.
Yeah ... I was thinking of a different race condition dealing with
accessing data on channels. Sorry.
Anyway, the channel variable situation is much more likely than the name
thing I was referring to. The contents of channel variables could
change at any point. An application that makes use of the Setvar
manager action could potentially exploit this. The result from
getvar_helper() could become invalid and reference free'd memory at
_any_ point when the channel is not locked.
--
Russell Bryant
Senior Software Engineer
Open Source Team Lead
Digium, Inc.
More information about the asterisk-dev
mailing list