Resources/res_phoneprov: fix memory leak and heap-use-after-free

* heap-use-after-free happens when we free "cfg"
but then use "value" which refers to it

* A memory leak occurs because in some cases
it is not released "defaults"

ASTERISK-25721 #close
Reported by: Badalyan Vyacheslav
Tested by: Badalyan Vyacheslav

Change-Id: I3807d3f4726df6864430ec144cf6265d3f538469

diff --git a/res/res_phoneprov.c b/res/res_phoneprov.c
index b3d14f7b929a5511f8e113d46f7f72202526f051..df93c5bbcee7496fbdafd419cff9932c675f88f2 100644 (file)
--- a/res/res_phoneprov.c
+++ b/res/res_phoneprov.c
@@ -1193,8 +1193,7 @@ static struct ast_http_uri phoneprovuri = {
 
 static struct varshead *get_defaults(void)
 {
-       struct ast_config *phoneprov_cfg;
-       struct ast_config *cfg;
+       struct ast_config *phoneprov_cfg, *cfg = CONFIG_STATUS_FILEINVALID;
        const char *value;
        struct ast_variable *v;
        struct ast_var_t *var;
@@ -1233,10 +1232,12 @@ static struct varshead *get_defaults(void)
        if (!value) {
                if ((cfg = ast_config_load("sip.conf", config_flags)) && cfg != CONFIG_STATUS_FILEINVALID) {
                        value = ast_variable_retrieve(cfg, "general", "bindport");
-                       ast_config_destroy(cfg);
                }
        }
        var = ast_var_assign(variable_lookup[AST_PHONEPROV_STD_SERVER_PORT], S_OR(value, "5060"));
+       if(cfg && cfg != CONFIG_STATUS_FILEINVALID) {
+               ast_config_destroy(cfg);
+       }
        AST_VAR_LIST_INSERT_TAIL(defaults, var);
 
        value = ast_variable_retrieve(phoneprov_cfg, "general", pp_general_lookup[AST_PHONEPROV_STD_PROFILE]);
@@ -1288,6 +1289,7 @@ static int load_users(void)
        if (!(cfg = ast_config_load("users.conf", config_flags))
                || cfg == CONFIG_STATUS_FILEINVALID) {
                ast_log(LOG_WARNING, "Unable to load users.conf\n");
+               ast_var_list_destroy(defaults);
                return -1;
        }
 
@@ -1337,6 +1339,7 @@ static int load_users(void)
                }
        }
        ast_config_destroy(cfg);
+       ast_var_list_destroy(defaults);
        return 0;
 }