[svn-commits] mjordan: branch certified-1.8.11 r367846 - in /certified/branches/1.8.11: ./ ...
    SVN commits to the Digium repositories 
    svn-commits at lists.digium.com
       
    Tue May 29 13:46:26 CDT 2012
    
    
  
Author: mjordan
Date: Tue May 29 13:46:22 2012
New Revision: 367846
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=367846
Log:
AST-2012-008: Fix remote crash vulnerability in chan_skinny
When a skinny session is unregistered, the corresponding device pointer is set
to NULL in the channel private data.  If the client was not in the on-hook state
at the time the connection was closed, the device pointer can later be
dereferened if a message or channel event attempts to use a line's pointer to
said device.
The patches prevent this from occurring by checking the line's pointer in
message handlers and channel callbacks that can fire after an unregistration
attempt.
(closes issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Damien Wedhorn
Patches:
  AST-2012-008-1.8.diff uploaded by mjordan (license 6283)
  AST-2012-008-10.diff uploaded by mjordan (licesen 6283)
Modified:
    certified/branches/1.8.11/   (props changed)
    certified/branches/1.8.11/channels/chan_skinny.c
Propchange: certified/branches/1.8.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue May 29 13:46:22 2012
@@ -1,1 +1,1 @@
-/branches/1.8:357665,358162,359656,359706,359979,360086,360884
+/branches/1.8:357665,358162,359656,359706,359979,360086,360884,367843
Modified: certified/branches/1.8.11/channels/chan_skinny.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.11/channels/chan_skinny.c?view=diff&rev=367846&r1=367845&r2=367846
==============================================================================
--- certified/branches/1.8.11/channels/chan_skinny.c (original)
+++ certified/branches/1.8.11/channels/chan_skinny.c Tue May 29 13:46:22 2012
@@ -2684,6 +2684,10 @@
 	struct skinny_line *l = sub->parent;
 	struct skinny_device *d = l->device;
 
+	if (!d) {
+		return;
+	}
+
 	if (!c->caller.id.number.valid
 		|| ast_strlen_zero(c->caller.id.number.str)
 		|| !c->connected.id.number.valid
@@ -3817,6 +3821,11 @@
 	int res = 0;
 	int loop_pause = 100;
 
+	if (!d) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return NULL;
+	}
+
 	ast_verb(3, "Starting simple switch on '%s@%s'\n", l->name, d->name);
 
 	len = strlen(d->exten);
@@ -3920,7 +3929,7 @@
 	struct skinny_line *l = sub->parent;
 	struct skinny_device *d = l->device;
 
-	if (!d->registered) {
+	if (!d || !d->registered) {
 		ast_log(LOG_ERROR, "Device not registered, cannot call %s\n", dest);
 		return -1;
 	}
@@ -3983,6 +3992,11 @@
 
 	l = sub->parent;
 	d = l->device;
+
+	if (!d) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return 0;
+	}
 
 	if (skinnydebug)
 		ast_verb(3,"Hanging up %s/%d\n",d->name,sub->callid);
@@ -4381,7 +4395,13 @@
 	struct skinny_subchannel *sub = ast->tech_pvt;
 	struct skinny_line *l = sub->parent;
 	struct skinny_device *d = l->device;
-	struct skinnysession *s = d->session;
+	struct skinnysession *s;
+
+	if (!d) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return -1;
+	}
+	s = d->session;
 
 	if (!s) {
 		ast_log(LOG_NOTICE, "Asked to indicate '%s' condition on channel %s, but session does not exist.\n", control2str(ind), ast->name);
@@ -4615,8 +4635,13 @@
 	struct skinny_device *d = l->device;
 
 	/* Don't try to hold a channel that doesn't exist */
-	if (!sub || !sub->owner)
+	if (!sub || !sub->owner) {
 		return 0;
+	}
+	if (!d) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return 0;
+	}
 
 	/* Channel needs to be put on hold */
 	if (skinnydebug)
@@ -4642,8 +4667,13 @@
 	struct skinny_device *d = l->device;
 
 	/* Don't try to unhold a channel that doesn't exist */
-	if (!sub || !sub->owner)
+	if (!sub || !sub->owner) {
 		return 0;
+	}
+	if (!d) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return 0;
+	}
 
 	/* Channel is on hold, so we will unhold */
 	if (skinnydebug)
@@ -4696,6 +4726,11 @@
 
 	l = sub->parent;
 	d = l->device;
+
+	if (!d) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return -1;
+	}
 
 	if (!sub->related) {
 		/* Another sub has not been created so this must be first XFER press */
@@ -4827,6 +4862,11 @@
 	struct skinny_device *d = l->device;
 	struct ast_channel *c = sub->owner;
 	pthread_t t;
+
+	if (!d) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return 0;
+	}
 
 	if (l->hookstate == SKINNY_ONHOOK) {
 		l->hookstate = SKINNY_OFFHOOK;
    
    
More information about the svn-commits
mailing list