AST-2012-009: Fix crash in chan_skinny due to Key Pad Button Message handling

AST-2012-008 (r367844) fixed a denial of service attack exploitable in the
Skinny channel driver that occurred when certain messages are sent after a
previously registered station sends an Off Hook message.  Unresolved in that
patch is an issue in the Asterisk 10 releases, wherein, if a Station Key
Pad Button Message is processed after an Off Hook message, the channel driver
will inappropriately dereference a NULL pointer.

This patch fixes those places where the message handling or the channel
callback functions would attempt to dereference the line's pointer to the
device.

(issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Christoph Hebeisen
Patches:
  AST-2012-009-10.diff uploaded by mjordan (license 6283)




git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@368947 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_skinny.c

@@ -4976,6 +4976,11 @@ static void setsubstate(struct skinny_subchannel *sub, int state)
 	pthread_t t;
 	int actualstate = state;
 
+	if (!l->device) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return;
+	}
+
 	if (sub->substate == SUBSTATE_ONHOOK) {
 		return;
 	}
@@ -5365,15 +5370,20 @@ static void dumpsub(struct skinny_subchannel *sub, int forcehangup)
 	struct skinny_subchannel *activatesub = NULL;
 	struct skinny_subchannel *tsub;
 
+	if (!l->device) {
+		ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+		return;
+	}
+
 	if (skinnydebug) {
 		ast_verb(3, "Sub %d - Dumping\n", sub->callid);
 	}
-	
+
 	if (!forcehangup && sub->substate == SUBSTATE_HOLD) {
 		l->activesub = NULL;
 		return;
 	}
-	
+
 	if (sub == l->activesub) {
 		d->hookstate = SKINNY_ONHOOK;
 		transmit_speaker_mode(d, SKINNY_SPEAKEROFF);