[svn-commits] dvossel: branch 1.4 r324627 - in /branches/1.4: channels/ res/

SVN commits to the Digium repositories svn-commits at lists.digium.com
Thu Jun 23 13:16:55 CDT 2011 

Author: dvossel
Date: Thu Jun 23 13:16:52 2011
New Revision: 324627

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=324627
Log:
Addresses AST-2011-010, remote crash in IAX2 driver

Thanks to twilson for identifying the issue and providing the patches.

AST-2011-010


Modified:
    branches/1.4/channels/chan_iax2.c
    branches/1.4/res/res_features.c

Modified: branches/1.4/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.4/channels/chan_iax2.c?view=diff&rev=324627&r1=324626&r2=324627
==============================================================================
--- branches/1.4/channels/chan_iax2.c (original)
+++ branches/1.4/channels/chan_iax2.c Thu Jun 23 13:16:52 2011
@@ -4652,7 +4652,14 @@
 		/* these two cannot be sent, because they require a result */
 		errno = ENOSYS;
 		return -1;
-	default:
+ 	/* These options are sent to the other side across the network where
+ 	 * they will be passed to whatever channel is bridged there. Don't
+ 	 * do anything silly like pass an option that transmits pointers to
+ 	 * memory on this machine to a remote machine to use */
+ 	case AST_OPTION_TONE_VERIFY:
+ 	case AST_OPTION_TDD:
+ 	case AST_OPTION_RELAXDTMF:
+ 	case AST_OPTION_AUDIO_MODE:
 	{
 		unsigned short callno = PTR_TO_CALLNO(c->tech_pvt);
 		struct chan_iax2_pvt *pvt;
@@ -4680,7 +4687,12 @@
 		free(h);
 		return res;
 	}
-	}
+	default:
+		return -1;
+	}
+
+	/* Just in case someone does a break instead of a return */
+	return -1;
 }
 
 static struct ast_frame *iax2_read(struct ast_channel *c) 

Modified: branches/1.4/res/res_features.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.4/res/res_features.c?view=diff&rev=324627&r1=324626&r2=324627
==============================================================================
--- branches/1.4/res/res_features.c (original)
+++ branches/1.4/res/res_features.c Thu Jun 23 13:16:52 2011
@@ -2381,10 +2381,19 @@
 				break;
 			case AST_CONTROL_OPTION:
 				aoh = f->data;
-				/* Forward option Requests */
+ 				/* Forward option Requests, but only ones we know are safe
+ 				 * These are ONLY sent by chan_iax2 and I'm not convinced that
+ 				 * they are useful. I haven't deleted them entirely because I
+ 				 * just am not sure of the ramifications of removing them. */
 				if (aoh && aoh->flag == AST_OPTION_FLAG_REQUEST) {
-					ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
-						f->datalen - sizeof(struct ast_option_header), 0);
+ 				   	switch (ntohs(aoh->option)) {
+ 					case AST_OPTION_TONE_VERIFY:
+ 					case AST_OPTION_TDD:
+ 					case AST_OPTION_RELAXDTMF:
+ 					case AST_OPTION_AUDIO_MODE:
+						ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
+							f->datalen - sizeof(struct ast_option_header), 0);
+					}
 				}
 				break;
 			}

More information about the svn-commits mailing list