From 322191a2f47d56e786ee73be1dc820fafd51b2fb Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Tue, 6 Apr 2021 19:43:57 +0300 Subject: [PATCH] [mod_dialplan_xml] Fix possible use after free in parse_exten() --- src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c b/src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c index 005276dcd3..f85a9855bb 100644 --- a/src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c +++ b/src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c @@ -361,6 +361,7 @@ static int parse_exten(switch_core_session_t *session, switch_caller_profile_t * switch_regex_safe_free(re); switch_safe_free(field_expanded); + if (expression == expression_expanded) expression = NULL; switch_safe_free(expression_expanded); } @@ -375,6 +376,7 @@ static int parse_exten(switch_core_session_t *session, switch_caller_profile_t * } switch_safe_free(field_expanded); + if (expression == expression_expanded) expression = NULL; switch_safe_free(expression_expanded); } else { if ((xexpression = switch_xml_child(xcond, "expression"))) { @@ -502,7 +504,7 @@ static int parse_exten(switch_core_session_t *session, switch_caller_profile_t * proceed = 1; } } else { - if (field && strchr(expression, '(')) { + if (field && expression && strchr(expression, '(')) { switch_channel_set_variable(channel, "DP_MATCH", NULL); switch_capture_regex(re, proceed, field_data, ovector, "DP_MATCH", switch_regex_set_var_callback, session); } @@ -524,7 +526,7 @@ static int parse_exten(switch_core_session_t *session, switch_caller_profile_t * data = (char *) switch_xml_attr_soft(xaction, "data"); } - if (field && strchr(expression, '(')) { + if (field && expression && strchr(expression, '(')) { len = (uint32_t) (strlen(data) + strlen(field_data) + 10) * proceed; if (!(substituted = malloc(len))) { switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session), SWITCH_LOG_CRIT, "Memory Error!\n");