dect
/
asterisk
Archived
13
0
Fork 0
Code Releases Activity

Merged revisions 327950 via svnmerge from 

https://origsvn.digium.com/svn/asterisk/branches/1.8

........
  r327950 | kpfleming | 2011-07-12 17:53:53 -0500 (Tue, 12 Jul 2011) | 14 lines
  
  Correct double-free situation in manager output processing.
  
  The process_output() function calls ast_str_append() and xml_translate() on its
  'out' parameter, which is a pointer to an ast_str buffer. If either of these
  functions need to reallocate the ast_str so it will have more space, they will
  free the existing buffer and allocate a new one, returning the address of the
  new one. However, because process_output only receives a pointer to the ast_str,
  not a pointer to its caller's variable holding the pointer, if the original
  ast_str is freed, the caller will not know, and will continue to use it (and
  later attempt to free it).
  
  (reported by jkroon on #asterisk-dev)
........


git-svn-id: http://svn.digium.com/svn/asterisk/trunk@327953 f38db490-d61c-443f-a65b-d21fe96a405b
This commit is contained in:
kpfleming 2011-07-12 23:02:31 +00:00
parent 6324f36910
commit ef8cbd8771
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
main/manager.c
View File

@ -5621,7 +5621,7 @@ static void xml_translate(struct ast_str **out, char *in, struct ast_variable *g
} }
} }
static void process_output(struct mansession *s, struct ast_str *out, struct ast_variable *params, enum output_format format) static void process_output(struct mansession *s, struct ast_str **out, struct ast_variable *params, enum output_format format)
{ {
char *buf; char *buf;
size_t l; size_t l;
@ -5638,14 +5638,14 @@ static void process_output(struct mansession *s, struct ast_str *out, struct ast
ast_log(LOG_WARNING, "mmap failed. Manager output was not processed\n"); ast_log(LOG_WARNING, "mmap failed. Manager output was not processed\n");
} else { } else {
if (format == FORMAT_XML || format == FORMAT_HTML) { if (format == FORMAT_XML || format == FORMAT_HTML) {
xml_translate(&out, buf, params, format); xml_translate(out, buf, params, format);
} else { } else {
ast_str_append(&out, 0, "%s", buf); ast_str_append(out, 0, "%s", buf);
} }
munmap(buf, l); munmap(buf, l);
} }
} else if (format == FORMAT_XML || format == FORMAT_HTML) { } else if (format == FORMAT_XML || format == FORMAT_HTML) {
xml_translate(&out, "", params, format); xml_translate(out, "", params, format);
} }
fclose(s->f); fclose(s->f);
@ -5803,7 +5803,7 @@ static int generic_http_callback(struct ast_tcptls_session_instance *ser,
ast_str_append(&out, 0, ROW_FMT, TEST_STRING); ast_str_append(&out, 0, ROW_FMT, TEST_STRING);
} }
process_output(&s, out, params, format); process_output(&s, &out, params, format);
if (format == FORMAT_XML) { if (format == FORMAT_XML) {
ast_str_append(&out, 0, "</ajax-response>\n"); ast_str_append(&out, 0, "</ajax-response>\n");
@ -6115,7 +6115,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser,
"<input type=\"submit\" value=\"Send request\" /></th></tr>\r\n"); "<input type=\"submit\" value=\"Send request\" /></th></tr>\r\n");
} }
process_output(&s, out, params, format); process_output(&s, &out, params, format);
if (format == FORMAT_XML) { if (format == FORMAT_XML) {
ast_str_append(&out, 0, "</ajax-response>\n"); ast_str_append(&out, 0, "</ajax-response>\n");