res_srtp: Fix a crash caused by srtp_dealloc on an already dealloced session

When srtp_create fails, the session may be dealloced or just not alloced. At the same time though, the session pointer might not be set to NULL in this process and attempting to srtp_dealloc it again will cause a segfault. This patch checks for failure of srtp_create and sets the session pointer to NULL if it fails. (closes issue ASTERISK-20499) Reported by: tootai Review: https://reviewboard.asterisk.org/r/2228/ ........ Merged revisions 377256 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 377261 from http://svn.asterisk.org/svn/asterisk/branches/10 ........ Merged revisions 377262 from http://svn.asterisk.org/svn/asterisk/branches/11 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@377263 65c4cc65-6c06-0410-ace0-fbb531ad65f3
13 years ago · d7372766dc
parent b206511914
commit d7372766dc
1 changed files with 4 additions and 0 deletions
--- a/res/res_srtp.c
+++ b/res/res_srtp.c
@ -383,6 +383,8 @@ tryagain:
 					retry++;
 					ao2_iterator_destroy(&it);
 					goto tryagain;
+				} else {
+					srtp->session = NULL;
 				}
 				ao2_t_ref(policy, -1, "Unreffing first policy after srtp_create failed");
 			}
@ -437,6 +439,8 @@ static int ast_srtp_create(struct ast_srtp **srtp, struct ast_rtp_instance *rtp,

 	/* Any failures after this point can use ast_srtp_destroy to destroy the instance */
 	if (srtp_create(&temp->session, &policy->sp) != err_status_ok) {
+		/* Session either wasn't created or was created and dealloced. */
+		temp->session = NULL;
 		ast_srtp_destroy(temp);
 		return -1;
 	}