kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-02-23 01:50:05 +00:00
Code Issues Projects Releases Wiki Activity

[Core] Prevent write after free into heap when calling switch_core_destroy_memory_pool()

Browse Source
This commit is contained in:
Andrey Volk 2020-12-16 04:10:45 +04:00
parent 7b873a2dc3
commit caa428aa16
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/switch_core_memory.c
View File

@ -465,38 +465,42 @@ SWITCH_DECLARE(switch_status_t) switch_core_perform_destroy_memory_pool(switch_m
{ {
char *tmp; char *tmp;
const char *tag; const char *tag;
switch_memory_pool_t *tmp_pool = NULL;
switch_assert(pool != NULL); switch_assert(pool != NULL);
/* In tag we store who calls the pool creation. /* In tag we store who calls the pool creation.
Now we append it with who calls the pool destroy. Now we append it with who calls the pool destroy.
*/ */
if (*pool) { if (*pool) {
tag = apr_pool_tag(*pool, NULL); tmp_pool = *pool;
tmp = switch_core_sprintf(*pool, "%s,%s:%d", (tag ? tag : ""), file, line); *pool = NULL;
apr_pool_tag(*pool, tmp);
tag = apr_pool_tag(tmp_pool, NULL);
tmp = switch_core_sprintf(tmp_pool, "%s,%s:%d", (tag ? tag : ""), file, line);
apr_pool_tag(tmp_pool, tmp);
} }
#ifdef DEBUG_ALLOC2 #ifdef DEBUG_ALLOC2
switch_log_printf(SWITCH_CHANNEL_ID_LOG, file, func, line, NULL, SWITCH_LOG_CONSOLE, "%p Free Pool %s\n", (void *) *pool, apr_pool_tag(*pool, NULL)); switch_log_printf(SWITCH_CHANNEL_ID_LOG, file, func, line, NULL, SWITCH_LOG_CONSOLE, "%p Free Pool %s\n", (void *) tmp_pool, apr_pool_tag(tmp_pool, NULL));
#endif #endif
#ifdef INSTANTLY_DESTROY_POOLS #ifdef INSTANTLY_DESTROY_POOLS
#ifdef USE_MEM_LOCK #ifdef USE_MEM_LOCK
switch_mutex_lock(memory_manager.mem_lock); switch_mutex_lock(memory_manager.mem_lock);
#endif #endif
apr_pool_destroy(*pool); apr_pool_destroy(tmp_pool);
#ifdef USE_MEM_LOCK #ifdef USE_MEM_LOCK
switch_mutex_unlock(memory_manager.mem_lock); switch_mutex_unlock(memory_manager.mem_lock);
#endif #endif
#else #else
if ((memory_manager.pool_thread_running != 1) || (switch_queue_push(memory_manager.pool_queue, *pool) != SWITCH_STATUS_SUCCESS)) { if ((memory_manager.pool_thread_running != 1) || (switch_queue_push(memory_manager.pool_queue, tmp_pool) != SWITCH_STATUS_SUCCESS)) {
#ifdef USE_MEM_LOCK #ifdef USE_MEM_LOCK
switch_mutex_lock(memory_manager.mem_lock); switch_mutex_lock(memory_manager.mem_lock);
#endif #endif
#if APR_POOL_DEBUG #if APR_POOL_DEBUG
apr_pool_destroy_debug(*pool, func); apr_pool_destroy_debug(tmp_pool, func);
#else #else
apr_pool_destroy(*pool); apr_pool_destroy(tmp_pool);
#endif #endif
#ifdef USE_MEM_LOCK #ifdef USE_MEM_LOCK
switch_mutex_unlock(memory_manager.mem_lock); switch_mutex_unlock(memory_manager.mem_lock);
@ -504,8 +508,6 @@ SWITCH_DECLARE(switch_status_t) switch_core_perform_destroy_memory_pool(switch_m
} }
#endif #endif
*pool = NULL;
return SWITCH_STATUS_SUCCESS; return SWITCH_STATUS_SUCCESS;
} }