diff options
author | Steve Murphy <murf@digium.com> | 2008-04-05 01:33:13 +0000 |
---|---|---|
committer | Steve Murphy <murf@digium.com> | 2008-04-05 01:33:13 +0000 |
commit | f291c2af0ac7121e4ee52e573496d16435379a56 (patch) | |
tree | 319d3bf019c596b32ba4d1145f385bcc6b6675fc /contrib/utils/rawplayer.c | |
parent | 71dc6a4771b6e9468c029f5b1ce1e3f119fae7c0 (diff) |
Found a little problem with the sip request handling that could lead to a quick crash of asterisk, and a road to a DOS attack if left unfixed.
Attaching to a running asterisk with "telnet hostname 5060", I would input "something", then hit return three times, and asterisk crashes.
I traced it to handle_request_do(), which zeroes out the data (an ast_str ptr) if the string is too short.
Instead of freeing the struct and nulling the pointer, it now just resets it, because this
ast_str is expected by the calling routine to still be there after handle_request_do() returns.
This appears to fix the crash. I assume that it was introduced with ast_str's being adopted. It's a subtle and easy-to-miss sort of problem.
I also found all the places where the req.data is freed, and made sure the ptr is Nulled out as well;
no good leaving bad ptrs laying around-- I didn't need to do this, but it seemed a good thing to do...
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@112874 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'contrib/utils/rawplayer.c')
0 files changed, 0 insertions, 0 deletions