diff options
| author | Kevin P. Fleming <kpfleming@digium.com> | 2011-07-12 23:02:31 +0000 |
|---|---|---|
| committer | Kevin P. Fleming <kpfleming@digium.com> | 2011-07-12 23:02:31 +0000 |
| commit | d37ac6a8a0e3c8a0dd0ccf74e94652204c9247f1 (patch) | |
| tree | adcdfdbc2c8b72ab8741bd5b37d50333a356f369 | |
| parent | ae3d614ab80b003a93c48defc0833aa8bb012810 (diff) | |
Merged revisions 327950 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.8
........
r327950 | kpfleming | 2011-07-12 17:53:53 -0500 (Tue, 12 Jul 2011) | 14 lines
Correct double-free situation in manager output processing.
The process_output() function calls ast_str_append() and xml_translate() on its
'out' parameter, which is a pointer to an ast_str buffer. If either of these
functions need to reallocate the ast_str so it will have more space, they will
free the existing buffer and allocate a new one, returning the address of the
new one. However, because process_output only receives a pointer to the ast_str,
not a pointer to its caller's variable holding the pointer, if the original
ast_str is freed, the caller will not know, and will continue to use it (and
later attempt to free it).
(reported by jkroon on #asterisk-dev)
........
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@327953 65c4cc65-6c06-0410-ace0-fbb531ad65f3
| -rw-r--r-- | main/manager.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/main/manager.c b/main/manager.c index 5b3da313d..edaad357f 100644 --- a/main/manager.c +++ b/main/manager.c @@ -5621,7 +5621,7 @@ static void xml_translate(struct ast_str **out, char *in, struct ast_variable *g } } -static void process_output(struct mansession *s, struct ast_str *out, struct ast_variable *params, enum output_format format) +static void process_output(struct mansession *s, struct ast_str **out, struct ast_variable *params, enum output_format format) { char *buf; size_t l; @@ -5638,14 +5638,14 @@ static void process_output(struct mansession *s, struct ast_str *out, struct ast ast_log(LOG_WARNING, "mmap failed. Manager output was not processed\n"); } else { if (format == FORMAT_XML || format == FORMAT_HTML) { - xml_translate(&out, buf, params, format); + xml_translate(out, buf, params, format); } else { - ast_str_append(&out, 0, "%s", buf); + ast_str_append(out, 0, "%s", buf); } munmap(buf, l); } } else if (format == FORMAT_XML || format == FORMAT_HTML) { - xml_translate(&out, "", params, format); + xml_translate(out, "", params, format); } fclose(s->f); @@ -5803,7 +5803,7 @@ static int generic_http_callback(struct ast_tcptls_session_instance *ser, ast_str_append(&out, 0, ROW_FMT, TEST_STRING); } - process_output(&s, out, params, format); + process_output(&s, &out, params, format); if (format == FORMAT_XML) { ast_str_append(&out, 0, "</ajax-response>\n"); @@ -6115,7 +6115,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser, "<input type=\"submit\" value=\"Send request\" /></th></tr>\r\n"); } - process_output(&s, out, params, format); + process_output(&s, &out, params, format); if (format == FORMAT_XML) { ast_str_append(&out, 0, "</ajax-response>\n"); |