Using the GetVar handler in AMI is potentially dangerous (insta-crash [tm]) when...

 We'll create a bogus channel for the function call and destroy it when we're done. If we have trouble allocating the bogus channel then we're not going to try executing the function call at all and run the risk of crashing.
 (closes issue #13715)
 reported by: makoto
 patch by: bweschke

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@150816 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/main/manager.c b/main/manager.c
index 8b10712e8db9f2cba856ad0ff9a874570a556df3..b966440b07ca1c8cb2ee99b70a1098e9cd13a7e9 100644 (file)
--- a/main/manager.c
+++ b/main/manager.c
@@ -1499,8 +1499,15 @@ static int action_getvar(struct mansession *s, const struct message *m)
 
        if (varname[strlen(varname) - 1] == ')') {
                char *copy = ast_strdupa(varname);
-
-               ast_func_read(c, copy, workspace, sizeof(workspace));
+               if (!c) {
+                       c = ast_channel_alloc(0, 0, "", "", "", "", "", 0, "Bogus/%p", NULL);
+                       if (c) {
+                               ast_func_read(c, copy, workspace, sizeof(workspace));
+                               ast_channel_free(c);
+                       } else
+                               ast_log(LOG_ERROR, "Unable to allocate bogus channel for variable substitution.  Function results may be blank.\n");
+               } else
+                       ast_func_read(c, copy, workspace, sizeof(workspace));
                varval = workspace;
        } else {
                pbx_retrieve_variable(c, varname, &varval, workspace, sizeof(workspace), NULL);