kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-31 02:37:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Correct double-free situation in manager output processing.

Browse Source 
The process_output() function calls ast_str_append() and xml_translate() on its
'out' parameter, which is a pointer to an ast_str buffer. If either of these
functions need to reallocate the ast_str so it will have more space, they will
free the existing buffer and allocate a new one, returning the address of the
new one. However, because process_output only receives a pointer to the ast_str,
not a pointer to its caller's variable holding the pointer, if the original
ast_str is freed, the caller will not know, and will continue to use it (and
later attempt to free it).

(reported by jkroon on #asterisk-dev)



git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@327950 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Kevin P. Fleming
2011-07-12 22:53:53 +00:00
parent 3769e99537
commit feb182f802
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
main/manager.c
View File

@@ -5474,7 +5474,7 @@ static void xml_translate(struct ast_str **out, char *in, struct ast_variable *g
}
}
static void process_output(struct mansession *s, struct ast_str *out, struct ast_variable *params, enum output_format format)
static void process_output(struct mansession *s, struct ast_str **out, struct ast_variable *params, enum output_format format)
{
char *buf;
size_t l;
@@ -5491,14 +5491,14 @@ static void process_output(struct mansession *s, struct ast_str *out, struct ast
ast_log(LOG_WARNING, "mmap failed. Manager output was not processed\n");
} else {
if (format == FORMAT_XML || format == FORMAT_HTML) {
xml_translate(&out, buf, params, format);
xml_translate(out, buf, params, format);
} else {
ast_str_append(&out, 0, "%s", buf);
ast_str_append(out, 0, "%s", buf);
}
munmap(buf, l);
}
} else if (format == FORMAT_XML || format == FORMAT_HTML) {
xml_translate(&out, "", params, format);
xml_translate(out, "", params, format);
}
fclose(s->f);
@@ -5656,7 +5656,7 @@ static int generic_http_callback(struct ast_tcptls_session_instance *ser,
ast_str_append(&out, 0, ROW_FMT, TEST_STRING);
}
process_output(&s, out, params, format);
process_output(&s, &out, params, format);
if (format == FORMAT_XML) {
ast_str_append(&out, 0, "</ajax-response>\n");
@@ -5968,7 +5968,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser,
"<input type=\"submit\" value=\"Send request\" /></th></tr>\r\n");
}
process_output(&s, out, params, format);
process_output(&s, &out, params, format);
if (format == FORMAT_XML) {
ast_str_append(&out, 0, "</ajax-response>\n");