From a629f92eed7e9bfd3575b75ad6b0937e5200bd5f Mon Sep 17 00:00:00 2001 From: Joshua Colp Date: Wed, 12 Nov 2014 16:11:37 +0000 Subject: [PATCH] pbx: Fix off-nominal case where a freed extension may still be used. If during the operation of adding an extension a priority is added but fails it is possible for the extension to be freed but still exist in the PBX core. If this occurs subsequent lookups may try to access the extension and end up in freed memory. This change removes the extension from the PBX core when the priority addition fails and then frees the extension. ASTERISK-24444 #close Reported by: Leandro Dardini Review: https://reviewboard.asterisk.org/r/4162/ ........ Merged revisions 427709 from http://svn.asterisk.org/svn/asterisk/branches/11 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@427710 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- main/pbx.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/main/pbx.c b/main/pbx.c index b1f8ad6ca0..cc686558fd 100644 --- a/main/pbx.c +++ b/main/pbx.c @@ -9728,13 +9728,7 @@ static int add_priority(struct ast_context *con, struct ast_exten *tmp, "Unable to register extension '%s' priority %d in '%s', already in use\n", tmp->exten, tmp->priority, con->name); } - if (tmp->datad) { - tmp->datad(tmp->data); - /* if you free this, null it out */ - tmp->data = NULL; - } - ast_free(tmp); return -1; } /* we are replacing e, so copy the link fields and then update @@ -10018,6 +10012,26 @@ static int ast_add_extension2_lockopt(struct ast_context *con, } if (e && res == 0) { /* exact match, insert in the priority chain */ res = add_priority(con, tmp, el, e, replace); + if (res < 0) { + if (con->pattern_tree) { + struct match_char *x = add_exten_to_pattern_tree(con, tmp, 1); + + if (x->exten) { + x->deleted = 1; + x->exten = 0; + } + + ast_hashtab_remove_this_object(con->root_table, tmp); + } + + if (tmp->datad) { + tmp->datad(tmp->data); + /* if you free this, null it out */ + tmp->data = NULL; + } + + ast_free(tmp); + } if (lock_context) { ast_unlock_context(con); } -- 2.47.3