Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

AST-2012-008: Fix remote crash vulnerability in chan_skinny

Browse Source 
When a skinny session is unregistered, the corresponding device pointer is set
to NULL in the channel private data.  If the client was not in the on-hook state
at the time the connection was closed, the device pointer can later be
dereferenced if a message or channel event attempts to use a line's pointer to
said device.

The patches prevent this from occurring by checking the line's pointer in
message handlers and channel callbacks that can fire after an unregistration
attempt.

(closes issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Damien Wedhorn
Patches:
  AST-2012-008-1.8.diff uploaded by mjordan (license 6283)
  AST-2012-008-10.diff uploaded by mjordan (license 6283)



git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@367843 65c4cc65-6c06-0410-ace0-fbb531ad65f3
certified/1.8.15
Matthew Jordan 13 years ago
parent be10342c3f
commit fd9f2351cd
1 changed files with 44 additions and 4 deletions
Show Stats Download Patch File Download Diff File

48
channels/chan_skinny.c
Unescape View File

@ -2677,6 +2677,10 @@ static void update_connectedline(struct skinny_subchannel *sub, const void *data
struct skinny_line *l = sub->parent; struct skinny_line *l = sub->parent;
struct skinny_device *d = l->device; struct skinny_device *d = l->device;
if (!d) {
return;
}
if (!c->caller.id.number.valid if (!c->caller.id.number.valid
|| ast_strlen_zero(c->caller.id.number.str) || ast_strlen_zero(c->caller.id.number.str)
|| !c->connected.id.number.valid || !c->connected.id.number.valid
@ -3810,6 +3814,11 @@ static void *skinny_ss(void *data)
int res = 0; int res = 0;
int loop_pause = 100; int loop_pause = 100;
if (!d) {
ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
return NULL;
}
ast_verb(3, "Starting simple switch on '%s@%s'\n", l->name, d->name); ast_verb(3, "Starting simple switch on '%s@%s'\n", l->name, d->name);
len = strlen(d->exten); len = strlen(d->exten);
@ -3913,7 +3922,7 @@ static int skinny_call(struct ast_channel *ast, char *dest, int timeout)
struct skinny_line *l = sub->parent; struct skinny_line *l = sub->parent;
struct skinny_device *d = l->device; struct skinny_device *d = l->device;
if (!d->registered) { if (!d || !d->registered) {
ast_log(LOG_ERROR, "Device not registered, cannot call %s\n", dest); ast_log(LOG_ERROR, "Device not registered, cannot call %s\n", dest);
return -1; return -1;
} }
@ -3977,6 +3986,11 @@ static int skinny_hangup(struct ast_channel *ast)
l = sub->parent; l = sub->parent;
d = l->device; d = l->device;
if (!d) {
ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
return 0;
}
if (skinnydebug) if (skinnydebug)
ast_verb(3,"Hanging up %s/%d\n",d->name,sub->callid); ast_verb(3,"Hanging up %s/%d\n",d->name,sub->callid);
@ -4374,7 +4388,13 @@ static int skinny_indicate(struct ast_channel *ast, int ind, const void *data, s
struct skinny_subchannel *sub = ast->tech_pvt; struct skinny_subchannel *sub = ast->tech_pvt;
struct skinny_line *l = sub->parent; struct skinny_line *l = sub->parent;
struct skinny_device *d = l->device; struct skinny_device *d = l->device;
struct skinnysession *s = d->session; struct skinnysession *s;
if (!d) {
ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
return -1;
}
s = d->session;
if (!s) { if (!s) {
ast_log(LOG_NOTICE, "Asked to indicate '%s' condition on channel %s, but session does not exist.\n", control2str(ind), ast->name); ast_log(LOG_NOTICE, "Asked to indicate '%s' condition on channel %s, but session does not exist.\n", control2str(ind), ast->name);
@ -4608,8 +4628,13 @@ static int skinny_hold(struct skinny_subchannel *sub)
struct skinny_device *d = l->device; struct skinny_device *d = l->device;
/* Don't try to hold a channel that doesn't exist */ /* Don't try to hold a channel that doesn't exist */
if (!sub || !sub->owner) if (!sub || !sub->owner) {
return 0; return 0;
}
if (!d) {
ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
return 0;
}
/* Channel needs to be put on hold */ /* Channel needs to be put on hold */
if (skinnydebug) if (skinnydebug)
@ -4635,8 +4660,13 @@ static int skinny_unhold(struct skinny_subchannel *sub)
struct skinny_device *d = l->device; struct skinny_device *d = l->device;
/* Don't try to unhold a channel that doesn't exist */ /* Don't try to unhold a channel that doesn't exist */
if (!sub || !sub->owner) if (!sub || !sub->owner) {
return 0; return 0;
}
if (!d) {
ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
return 0;
}
/* Channel is on hold, so we will unhold */ /* Channel is on hold, so we will unhold */
if (skinnydebug) if (skinnydebug)
@ -4690,6 +4720,11 @@ static int handle_transfer_button(struct skinny_subchannel *sub)
l = sub->parent; l = sub->parent;
d = l->device; d = l->device;
if (!d) {
ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
return -1;
}
if (!sub->related) { if (!sub->related) {
/* Another sub has not been created so this must be first XFER press */ /* Another sub has not been created so this must be first XFER press */
if (!sub->onhold) { if (!sub->onhold) {
@ -4821,6 +4856,11 @@ static int handle_callforward_button(struct skinny_subchannel *sub, int cfwdtype
struct ast_channel *c = sub->owner; struct ast_channel *c = sub->owner;
pthread_t t; pthread_t t;
if (!d) {
ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
return 0;
}
if (l->hookstate == SKINNY_ONHOOK) { if (l->hookstate == SKINNY_ONHOOK) {
l->hookstate = SKINNY_OFFHOOK; l->hookstate = SKINNY_OFFHOOK;
transmit_speaker_mode(d, SKINNY_SPEAKERON); transmit_speaker_mode(d, SKINNY_SPEAKERON);

Write Preview
Loading…
Cancel
Save