[Asterisk-code-review] res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled (asterisk[13])

Friendly Automation asteriskteam at digium.com
Wed Dec 4 17:18:26 CST 2019 

Friendly Automation has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/13344 )

Change subject: res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled
......................................................................

res_pjsip_session.c: Prevent use-after-free with TEST_FRAMEWORK enabled

We need to copy the endpoint name before we call ao2_cleanup() on it,
otherwise we might try to access memory that has been reclaimed.

ASTERISK-28445 #close
Reported by: Bernhard Schmidt

Change-Id: I404b952608aa606e0babd3c4108346721fb726b3
---
M res/res_pjsip_session.c
1 file changed, 3 insertions(+), 1 deletion(-)

Approvals:
  Joshua Colp: Looks good to me, but someone else must approve
  Benjamin Keith Ford: Looks good to me, but someone else must approve
  Kevin Harwell: Looks good to me, approved
  Friendly Automation: Approved for Submit



diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index 12cf41d..bbdb8d1 100644
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -1315,8 +1315,10 @@
 	struct ast_sip_session *session = obj;
 	struct ast_sip_session_supplement *supplement;
 	struct ast_sip_session_delayed_request *delay;
+
+	/* We dup the endpoint ID in case the endpoint gets freed out from under us */
 	const char *endpoint_name = session->endpoint ?
-		ast_sorcery_object_get_id(session->endpoint) : "<none>";
+		ast_strdupa(ast_sorcery_object_get_id(session->endpoint)) : "<none>";
 
 	ast_debug(3, "Destroying SIP session with endpoint %s\n", endpoint_name);
 

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/13344
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Change-Id: I404b952608aa606e0babd3c4108346721fb726b3
Gerrit-Change-Number: 13344
Gerrit-PatchSet: 1
Gerrit-Owner: Sean Bright <sean.bright at gmail.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20191204/a80123ed/attachment.html>

More information about the asterisk-code-review mailing list