From e58c3f3441b8bafa4199f1ce481a07bd124a8f6d Mon Sep 17 00:00:00 2001 From: Automerge script Date: Thu, 14 Jun 2012 18:20:02 +0000 Subject: [PATCH] Merged revisions 368947 via svnmerge from file:///srv/subversion/repos/asterisk/branches/10 ........ r368947 | mjordan | 2012-06-14 12:31:33 -0500 (Thu, 14 Jun 2012) | 21 lines AST-2012-009: Fix crash in chan_skinny due to Key Pad Button Message handling AST-2012-008 (r367844) fixed a denial of service attack exploitable in the Skinny channel driver that occurred when certain messages are sent after a previously registered station sends an Off Hook message. Unresolved in that patch is an issue in the Asterisk 10 releases, wherein, if a Station Key Pad Button Message is processed after an Off Hook message, the channel driver will inappropriately dereference a NULL pointer. This patch fixes those places where the message handling or the channel callback functions would attempt to dereference the line's pointer to the device. (issue ASTERISK-19905) Reported by: Christoph Hebeisen Tested by: mjordan, Christoph Hebeisen Patches: AST-2012-009-10.diff uploaded by mjordan (license 6283) ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10-digiumphones@368960 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_skinny.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c index 6d5557cd0a..e3e3830e80 100644 --- a/channels/chan_skinny.c +++ b/channels/chan_skinny.c @@ -4982,6 +4982,11 @@ static void setsubstate(struct skinny_subchannel *sub, int state) pthread_t t; int actualstate = state; + if (!l->device) { + ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name); + return; + } + if (sub->substate == SUBSTATE_ONHOOK) { return; } @@ -5374,15 +5379,20 @@ static void dumpsub(struct skinny_subchannel *sub, int forcehangup) struct skinny_subchannel *activatesub = NULL; struct skinny_subchannel *tsub; + if (!l->device) { + ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name); + return; + } + if (skinnydebug) { ast_verb(3, "Sub %d - Dumping\n", sub->callid); } - + if (!forcehangup && sub->substate == SUBSTATE_HOLD) { l->activesub = NULL; return; } - + if (sub == l->activesub) { d->hookstate = SKINNY_ONHOOK; transmit_speaker_mode(d, SKINNY_SPEAKEROFF);