kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-02 03:48:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Multiple revisions 359656,359706,359979

Browse Source 
........
  r359656 | mjordan | 2012-03-15 13:35:59 -0500 (Thu, 15 Mar 2012) | 22 lines
  
  Fix remotely exploitable stack overrun in Milliwatt
  
  Milliwatt is vulnerable to a remotely exploitable stack overrun when using
  the 'o' option.  This occurs due to the milliwatt_generate function not
  accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
  samples it can put in the output buffer.
  
  This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
  when determining the maximum number of samples allowed.  Note that at no
  point is remote code execution possible.  The data that is written into the
  buffer is the pre-defined Milliwatt data, and not custom data.
  
  (closes issue ASTERISK-19541)
  Reported by: Russell Bryant
  Tested by: Matt Jordan
  Patches:
    milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
    Note that this patch was written by Russell, even though Matt uploaded it
  ........
  
  Merged revisions 359645 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
  r359706 | mjordan | 2012-03-15 14:01:22 -0500 (Thu, 15 Mar 2012) | 16 lines
  
  Fix remotely exploitable stack overflow in HTTP manager
  
  There exists a remotely exploitable stack buffer overflow in HTTP digest
  authentication handling in Asterisk.  The particular method in question
  is only utilized by HTTP AMI.  When parsing the digest information, the
  length of the string is not checked when it is copied into temporary buffers
  allocated on the stack.
  
  This patch fixes this behavior by parsing out pre-defined key/value pairs
  and avoiding unnecessary copies to the stack.
  
  (closes issue ASTERISK-19542)
  Reported by: Russell Bryant
  Tested by: Matt Jordan
........
  r359979 | rmudgett | 2012-03-20 12:21:16 -0500 (Tue, 20 Mar 2012) | 28 lines
  
  Allow AMI action callback to be reentrant.
  
  Fix AMI module reload deadlock regression from ASTERISK-18479 when it
  tried to fix the race between calling an AMI action callback and
  unregistering that action.  Refixes ASTERISK-13784 broken by
  ASTERISK-17785 change.
  
  Locking the ao2 object guaranteed that there were no active callbacks that
  mattered when ast_manager_unregister() was called.  Unfortunately, this
  causes the deadlock situation.  The patch stops locking the ao2 object to
  allow multiple threads to invoke the callback re-entrantly.  There is no
  way to guarantee a module unload will not crash because of an active
  callback.  The code attempts to minimize the chance with the registered
  flag and the maximum 5 second delay before ast_manager_unregister()
  returns.
  
  The trunk version of the patch changes the API to fix the race condition
  correctly to prevent the module code from unloading from memory while an
  action callback is active.
  
  * Don't hold the lock while calling the AMI action callback.
  
  (closes issue ASTERISK-19487)
  Reported by: Philippe Lindheimer
  
  Review: https://reviewboard.asterisk.org/r/1818/
  Review: https://reviewboard.asterisk.org/r/1820/
........

Merged revisions 359656,359706,359979 from http://svn.asterisk.org/svn/asterisk/branches/1.8


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8-digiumphones@360826 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Jason Parker
2012-03-29 21:49:14 +00:00
parent 75ff692542
commit e854851dc3
4 changed files with 95 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
main/manager.c
View File

@@ -1936,7 +1936,11 @@ int ast_hook_send_action(struct manager_custom_hook *hook, const char *msg)
ao2_lock(act_found);
if (act_found->registered && act_found->func) {
++act_found->active_count;
ao2_unlock(act_found);
ret = act_found->func(&s, &m);
ao2_lock(act_found);
--act_found->active_count;
} else {
ret = -1;
}
@@ -4636,8 +4640,12 @@ static int process_message(struct mansession *s, const struct message *m)
ao2_lock(act_found);
if (act_found->registered && act_found->func) {
ast_debug(1, "Running action '%s'\n", act_found->action);
++act_found->active_count;
ao2_unlock(act_found);
ret = act_found->func(s, m);
acted = 1;
ao2_lock(act_found);
--act_found->active_count;
}
ao2_unlock(act_found);
}
@@ -5145,6 +5153,8 @@ int ast_manager_unregister(char *action)
AST_RWLIST_UNLOCK(&actions);
if (cur) {
time_t now;
/*
* We have removed the action object from the container so we
* are no longer in a hurry.
@@ -5153,6 +5163,23 @@ int ast_manager_unregister(char *action)
cur->registered = 0;
ao2_unlock(cur);
/*
* Wait up to 5 seconds for any active invocations to complete
* before returning. We have to wait instead of blocking
* because we may be waiting for ourself to complete.
*/
now = time(NULL);
while (cur->active_count) {
if (5 <= time(NULL) - now) {
ast_debug(1,
"Unregister manager action %s timed out waiting for %d active instances to complete\n",
action, cur->active_count);
break;
}
sched_yield();
}
ao2_t_ref(cur, -1, "action object removed from list");
ast_verb(2, "Manager unregistered action %s\n", action);
}