[mod_dialplan_xml] Fix possible use after free in parse_exten()

author Andrey Volk <andywolk@gmail.com>

Tue, 6 Apr 2021 16:43:57 +0000 (19:43 +0300)

committer Andrey Volk <andywolk@gmail.com>

Tue, 19 Oct 2021 17:19:25 +0000 (20:19 +0300)
author Andrey Volk <andywolk@gmail.com>
Tue, 6 Apr 2021 16:43:57 +0000 (19:43 +0300)
committer Andrey Volk <andywolk@gmail.com>
Tue, 19 Oct 2021 17:19:25 +0000 (20:19 +0300)
diff --git a/src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c b/src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c

index 005276dcd34e78e0d667342d289d8435ee4c09f5..f85a9855bb138754ac1f7196813ed93b3b1d36f7 100644 (file)
--- a/src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c
+++ b/src/mod/dialplans/mod_dialplan_xml/mod_dialplan_xml.c
@@ -361,6 +361,7 @@ static int parse_exten(switch_core_session_t *session, switch_caller_profile_t *
                                 switch_regex_safe_free(re);
  
                                 switch_safe_free(field_expanded);
+                               if (expression == expression_expanded) expression = NULL;
                                 switch_safe_free(expression_expanded);
                         }
  
@@ -375,6 +376,7 @@ static int parse_exten(switch_core_session_t *session, switch_caller_profile_t *
                         }
  
                         switch_safe_free(field_expanded);
+                       if (expression == expression_expanded) expression = NULL;
                         switch_safe_free(expression_expanded);
                 } else {
                         if ((xexpression = switch_xml_child(xcond, "expression"))) {
@@ -502,7 +504,7 @@ static int parse_exten(switch_core_session_t *session, switch_caller_profile_t *
                                 proceed = 1;
                         }
                 } else {
-                       if (field && strchr(expression, '(')) {
+                       if (field && expression && strchr(expression, '(')) {
                                 switch_channel_set_variable(channel, "DP_MATCH", NULL);
                                 switch_capture_regex(re, proceed, field_data, ovector, "DP_MATCH", switch_regex_set_var_callback, session);
                         }
@@ -524,7 +526,7 @@ static int parse_exten(switch_core_session_t *session, switch_caller_profile_t *
                                         data = (char *) switch_xml_attr_soft(xaction, "data");
                                 }
  
-                               if (field && strchr(expression, '(')) {
+                               if (field && expression && strchr(expression, '(')) {
                                         len = (uint32_t) (strlen(data) + strlen(field_data) + 10) * proceed;
                                         if (!(substituted = malloc(len))) {
                                                 switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session), SWITCH_LOG_CRIT, "Memory Error!\n");
author	Andrey Volk <andywolk@gmail.com>
	Tue, 6 Apr 2021 16:43:57 +0000 (19:43 +0300)
committer	Andrey Volk <andywolk@gmail.com>
	Tue, 19 Oct 2021 17:19:25 +0000 (20:19 +0300)