AST-2012-007: Fix IAX receiving HOLD without suggested MOH class crash.

* Made schedule_delivery() set the received frame f->data.ptr to NULL if the datalen is zero. * Fix queue_signalling() memcpy() size error. * Made queue_signalling() not use C++ keyword variable names. (closes issue ASTERISK-19597) Reported by: mgrobecker Patches: jira_asterisk_19597_v1.8.patch (license #5621) patch uploaded by rmudgett Tested by: rmudgett, Michael L. Young ........ Merged revisions 367781 from http://svn.asterisk.org/svn/asterisk/branches/1.8 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@367782 65c4cc65-6c06-0410-ace0-fbb531ad65f3
13 years ago · cb4a01489f
parent 47dcfeeafc
commit cb4a01489f
1 changed files with 19 additions and 9 deletions
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@ -1922,24 +1922,25 @@ static void send_signaling(struct chan_iax2_pvt *pvt)
 *  we have received a destination call number. */
 static int queue_signalling(struct chan_iax2_pvt *pvt, struct ast_frame *f)
 {
-	struct signaling_queue_entry *new;
+	struct signaling_queue_entry *qe;

 	if (f->frametype == AST_FRAME_IAX || !pvt->hold_signaling) {
 		return 1; /* do not queue this frame */
-	} else if (!(new = ast_calloc(1, sizeof(struct signaling_queue_entry)))) {
+	} else if (!(qe = ast_calloc(1, sizeof(struct signaling_queue_entry)))) {
 		return -1;  /* out of memory */
 	}

-	memcpy(&new->f, f, sizeof(new->f)); /* copy ast_frame into our queue entry */
-
-	if (new->f.datalen) { /* if there is data in this frame copy it over as well */
-		if (!(new->f.data.ptr = ast_calloc(1, new->f.datalen))) {
-			free_signaling_queue_entry(new);
+	/* copy ast_frame into our queue entry */
+	qe->f = *f;
+	if (qe->f.datalen) {
+		/* if there is data in this frame copy it over as well */
+		if (!(qe->f.data.ptr = ast_malloc(qe->f.datalen))) {
+			free_signaling_queue_entry(qe);
 			return -1;
 		}
-		memcpy(new->f.data.ptr, f->data.ptr, sizeof(*new->f.data.ptr));
+		memcpy(qe->f.data.ptr, f->data.ptr, qe->f.datalen);
 	}
-	AST_LIST_INSERT_TAIL(&pvt->signaling_queue, new, next);
+	AST_LIST_INSERT_TAIL(&pvt->signaling_queue, qe, next);

 	return 0;
 }
@ -4244,6 +4245,15 @@ static int schedule_delivery(struct iax_frame *fr, int updatehistory, int fromtr
 	struct ast_channel *owner = NULL;
 	struct ast_channel *bridge = NULL;

+	/*
+	 * Clear fr->af.data if there is no data in the buffer.  Things
+	 * like AST_CONTROL_HOLD without a suggested music class must
+	 * have a NULL pointer.
+	 */
+	if (!fr->af.datalen) {
+		memset(&fr->af.data, 0, sizeof(fr->af.data));
+	}
+
 	/* Attempt to recover wrapped timestamps */
 	unwrap_timestamp(fr);