[asterisk-dev] [Code Review] 3055: pbx.c: put copy of ast_exten.data on stack to prevent memory corruption

Matt Jordan reviewboard at asterisk.org
Tue Dec 10 17:23:45 CST 2013 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/3055/#review10378
-----------------------------------------------------------



/branches/1.8/main/pbx.c
<https://reviewboard.asterisk.org/r/3055/#comment19775>

    This method is now really a very, very, very thin wrapper around pbx_substitute_variables_helper. The method signatures are actually identical (although the parameters have been reordered, presumably to protect the innocent).
    
    I'd remove the entire function and have pbx_extension_helper call pbx_substitute_variables_helper directly.
    



/branches/1.8/main/pbx.c
<https://reviewboard.asterisk.org/r/3055/#comment19774>

    You should actually check for e->data (or e_data) being NULL prior to this point, as you probably don't want to duplicate a NULL pointer on the stack. See finding later on...



/branches/1.8/main/pbx.c
<https://reviewboard.asterisk.org/r/3055/#comment19776>

    This can also be done earlier before duplicating e->data on the stack.



/branches/1.8/main/pbx.c
<https://reviewboard.asterisk.org/r/3055/#comment19773>

    Previously, e->data would be checked for NULL before doing variable substitution. I think we still would want do that here.
    
    That is, if e->data is NULL, we don't duplicate it on the stack - instead, we simply bypass the actuall setting of the variable. I'd structure it something like this:
    
    char *e_data = NULL;
    
    ...
    
    if (!ast_strlen_zero(e->data)) {
       *passdata = '\0';
    } else {
       e_data = ast_strdupa(e->data);
    }
    ast_unlock_contexts();
    
    if (!ast_strlen_zero(e_data)) {
        pbx_substitute_variables(...);
    }
    
    etc.


- Matt Jordan


On Dec. 10, 2013, 7:39 p.m., Scott Griepentrog wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/3055/
> -----------------------------------------------------------
> 
> (Updated Dec. 10, 2013, 7:39 p.m.)
> 
> 
> Review request for Asterisk Developers and Matt Jordan.
> 
> 
> Bugs: AST-1179 and AST-1246
>     https://issues.asterisk.org/jira/browse/AST-1179
>     https://issues.asterisk.org/jira/browse/AST-1246
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> During dialplan execution in pbx_extension_helper(), the contexts global read lock is used prevent changes to the dialplan.  This patch puts a copy of exten->data on the stack so that can be referenced safely during variable substitution (expression evaluation) even if another thread is reloading dialplan and has deleted ast_exten.
> 
> 
> Diffs
> -----
> 
>   /branches/1.8/main/pbx.c 403615 
> 
> Diff: https://reviewboard.asterisk.org/r/3055/diff/
> 
> 
> Testing
> -------
> 
> Testsuite test 'dialplan_stress' (https://reviewboard.asterisk.org/r/3056/) created to isolate this problem and test this fix.
> 
> 
> Thanks,
> 
> Scott Griepentrog
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20131210/8338147c/attachment-0001.html>

More information about the asterisk-dev mailing list