diff options
author | Matthew Jordan <mjordan@digium.com> | 2012-06-14 17:34:10 +0000 |
---|---|---|
committer | Matthew Jordan <mjordan@digium.com> | 2012-06-14 17:34:10 +0000 |
commit | 1efe727ed87df803d2ce7aa1f77242d103c43b1d (patch) | |
tree | 9c5c8552a5ae256bedb4d5dc221d0e7ffe3a4ffb /channels/chan_skinny.c | |
parent | 5819278c46ec80e51901718e4a8a34d6a9429b1b (diff) |
AST-2012-009: Fix crash in chan_skinny due to Key Pad Button Message handling
AST-2012-008 (r367844) fixed a denial of service attack exploitable in the
Skinny channel driver that occurred when certain messages are sent after a
previously registered station sends an Off Hook message. Unresolved in that
patch is an issue in the Asterisk 10 releases, wherein, if a Station Key
Pad Button Message is processed after an Off Hook message, the channel driver
will inappropriately dereference a NULL pointer.
This patch fixes those places where the message handling or the channel
callback functions would attempt to dereference the line's pointer to the
device.
(issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Christoph Hebeisen
Patches:
AST-2012-009-10.diff uploaded by mjordan (license 6283)
........
Merged revisions 368947 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@368948 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'channels/chan_skinny.c')
-rw-r--r-- | channels/chan_skinny.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c index 1c89674b9..9322bf50a 100644 --- a/channels/chan_skinny.c +++ b/channels/chan_skinny.c @@ -5011,6 +5011,11 @@ static void setsubstate(struct skinny_subchannel *sub, int state) pthread_t t; int actualstate = state; + if (!l->device) { + ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name); + return; + } + if (sub->substate == SUBSTATE_ONHOOK) { return; } @@ -5403,15 +5408,20 @@ static void dumpsub(struct skinny_subchannel *sub, int forcehangup) struct skinny_subchannel *activate_sub = NULL; struct skinny_subchannel *tsub; + if (!l->device) { + ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name); + return; + } + if (skinnydebug) { ast_verb(3, "Sub %d - Dumping\n", sub->callid); } - + if (!forcehangup && sub->substate == SUBSTATE_HOLD) { l->activesub = NULL; return; } - + if (sub == l->activesub) { d->hookstate = SKINNY_ONHOOK; transmit_speaker_mode(d, SKINNY_SPEAKEROFF); |