Addresses AST-2011-010, remote crash in IAX2 driver

Thanks to twilson for identifying the issue and providing the patches. AST-2011-010 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@324627 65c4cc65-6c06-0410-ace0-fbb531ad65f3
14 years ago · 9bc8ac021e
parent dcddfdc148
commit 9bc8ac021e
2 changed files with 25 additions and 4 deletions
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@ -4652,7 +4652,14 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
 		/* these two cannot be sent, because they require a result */
 		errno = ENOSYS;
 		return -1;
-	default:
+ 	/* These options are sent to the other side across the network where
+ 	 * they will be passed to whatever channel is bridged there. Don't
+ 	 * do anything silly like pass an option that transmits pointers to
+ 	 * memory on this machine to a remote machine to use */
+ 	case AST_OPTION_TONE_VERIFY:
+ 	case AST_OPTION_TDD:
+ 	case AST_OPTION_RELAXDTMF:
+ 	case AST_OPTION_AUDIO_MODE:
 	{
 		unsigned short callno = PTR_TO_CALLNO(c->tech_pvt);
 		struct chan_iax2_pvt *pvt;
@ -4680,7 +4687,12 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
 		free(h);
 		return res;
 	}
+	default:
+		return -1;
 	}
+
+	/* Just in case someone does a break instead of a return */
+	return -1;
 }

 static struct ast_frame *iax2_read(struct ast_channel *c) 
--- a/res/res_features.c
+++ b/res/res_features.c
@ -2381,11 +2381,20 @@ int ast_bridge_call(struct ast_channel *chan,struct ast_channel *peer,struct ast
 				break;
 			case AST_CONTROL_OPTION:
 				aoh = f->data;
-				/* Forward option Requests */
+ 				/* Forward option Requests, but only ones we know are safe
+ 				 * These are ONLY sent by chan_iax2 and I'm not convinced that
+ 				 * they are useful. I haven't deleted them entirely because I
+ 				 * just am not sure of the ramifications of removing them. */
 				if (aoh && aoh->flag == AST_OPTION_FLAG_REQUEST) {
+ 				   	switch (ntohs(aoh->option)) {
+ 					case AST_OPTION_TONE_VERIFY:
+ 					case AST_OPTION_TDD:
+ 					case AST_OPTION_RELAXDTMF:
+ 					case AST_OPTION_AUDIO_MODE:
 						ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
 							f->datalen - sizeof(struct ast_option_header), 0);
 					}
+				}
 				break;
 			}
 		} else if (f->frametype == AST_FRAME_DTMF_BEGIN) {