From 2478bfcff99dfc044ed2d045da6c579858c78cb2 Mon Sep 17 00:00:00 2001
From: Sean Bright <sean.bright@gmail.com>
Date: Sun, 28 Nov 2021 15:52:24 -0500
Subject: [PATCH] config.c: Prevent UB in ast_realtime_require_field.

A backend's implementation of the realtime 'require' function may call
va_arg() and then fail, leaving the va_list in an undefined
state. Pass a copy of the va_list instead.

ASTERISK-29771 #close

Change-Id: I555565a72af84e96d49f62fe8cb66ba5a78461f4
---
 main/config.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/main/config.c b/main/config.c
index 46f05aaf16..c5e42fa8a9 100644
--- a/main/config.c
+++ b/main/config.c
@@ -3384,16 +3384,19 @@ int ast_realtime_require_field(const char *family, ...)
 	struct ast_config_engine *eng;
 	char db[256];
 	char table[256];
-	va_list ap;
+	va_list ap, aq;
 	int res = -1, i;
 
 	va_start(ap, family);
 	for (i = 1; ; i++) {
 		if ((eng = find_engine(family, i, db, sizeof(db), table, sizeof(table)))) {
+			va_copy(aq, ap);
 			/* If the require succeeds, it returns 0. */
-			if (eng->require_func && !(res = eng->require_func(db, table, ap))) {
+			if (eng->require_func && !(res = eng->require_func(db, table, aq))) {
+				va_end(aq);
 				break;
 			}
+			va_end(aq);
 		} else {
 			break;
 		}