Merged revisions 377260,377263 via svnmerge from

file:///srv/subversion/repos/asterisk/trunk

................
  r377260 | file | 2012-12-05 10:51:58 -0600 (Wed, 05 Dec 2012) | 25 lines

  Fix a SIP request memory leak with TLS connections.

  During the TLS re-work in chan_sip some TLS specific code was moved
  into a separate function. This function operates on a copy of the
  incoming SIP request. This copy was never deinitialized causing a
  memory leak for each request processed.

  This function is now given a SIP request structure which it can use
  to copy the incoming request into. This reduces the amount of memory
  allocations done since the internal allocated components are reused
  between packets and also ensures the SIP request structure is
  deinitialized when the TLS connection is torn down.

  (closes issue ASTERISK-20763)
  Reported by: deti
  ........

  Merged revisions 377257 from http://svn.asterisk.org/svn/asterisk/branches/1.8
  ........

  Merged revisions 377258 from http://svn.asterisk.org/svn/asterisk/branches/10
  ........

  Merged revisions 377259 from http://svn.asterisk.org/svn/asterisk/branches/11
................
  r377263 | jrose | 2012-12-05 11:17:06 -0600 (Wed, 05 Dec 2012) | 21 lines

  res_srtp: Fix a crash caused by srtp_dealloc on an already dealloced session

  When srtp_create fails, the session may be dealloced or just not alloced. At
  the same time though, the session pointer might not be set to NULL in this
  process and attempting to srtp_dealloc it again will cause a segfault. This
  patch checks for failure of srtp_create and sets the session pointer to NULL
  if it fails.

  (closes issue ASTERISK-20499)
  Reported by: tootai
  Review: https://reviewboard.asterisk.org/r/2228/
  ........

  Merged revisions 377256 from http://svn.asterisk.org/svn/asterisk/branches/1.8
  ........

  Merged revisions 377261 from http://svn.asterisk.org/svn/asterisk/branches/10
  ........

  Merged revisions 377262 from http://svn.asterisk.org/svn/asterisk/branches/11
................

git-svn-id: https://origsvn.digium.com/svn/asterisk/team/mmichelson/threadpool@377270 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 3e1e2c45d0bbf1051fdb49a360b83ec0f18e25cf..cabc2d14d6d2629248af4941ae0d71fba4cbe12f 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -2714,10 +2714,10 @@ static int sip_check_authtimeout(time_t start)
  * \retval -1 Failed to read data
  * \retval 0 Succeeded in reading data
  */
-static int sip_tls_read(struct sip_request *req, struct ast_tcptls_session_instance *tcptls_session, int authenticated, time_t start, struct sip_threadinfo *me)
+static int sip_tls_read(struct sip_request *req, struct sip_request *reqcpy, struct ast_tcptls_session_instance *tcptls_session,
+                       int authenticated, time_t start, struct sip_threadinfo *me)
 {
        int res, content_length, after_poll = 1, need_poll = 1;
-       struct sip_request reqcpy = { 0, };
        char buf[1024] = "";
        int timeout = -1;
 
@@ -2771,10 +2771,10 @@ static int sip_tls_read(struct sip_request *req, struct ast_tcptls_session_insta
                }
                ast_str_append(&req->data, 0, "%s", buf);
        }
-       copy_request(&reqcpy, req);
-       parse_request(&reqcpy);
+       copy_request(reqcpy, req);
+       parse_request(reqcpy);
        /* In order to know how much to read, we need the content-length header */
-       if (sscanf(sip_get_header(&reqcpy, "Content-Length"), "%30d", &content_length)) {
+       if (sscanf(sip_get_header(reqcpy, "Content-Length"), "%30d", &content_length)) {
                while (content_length > 0) {
                        size_t bytes_read;
                        if (!tcptls_session->client && !authenticated) {
@@ -3187,7 +3187,7 @@ static void *_sip_tcp_helper_thread(struct ast_tcptls_session_instance *tcptls_s
                        }
                        req.socket.fd = tcptls_session->fd;
                        if (tcptls_session->ssl) {
-                               res = sip_tls_read(&req, tcptls_session, authenticated, start, me);
+                               res = sip_tls_read(&req, &reqcpy, tcptls_session, authenticated, start, me);
                        } else {
                                res = sip_tcp_read(&req, tcptls_session, authenticated, start);
                        }

diff --git a/res/res_srtp.c b/res/res_srtp.c
index f651c406751c71372a9c31ea902931f62e1c64df..b9499f8f1c7da54b5ece833833d5e71b8267838f 100644 (file)
--- a/res/res_srtp.c
+++ b/res/res_srtp.c
@@ -383,6 +383,8 @@ tryagain:
                                        retry++;
                                        ao2_iterator_destroy(&it);
                                        goto tryagain;
+                               } else {
+                                       srtp->session = NULL;
                                }
                                ao2_t_ref(policy, -1, "Unreffing first policy after srtp_create failed");
                        }
@@ -437,6 +439,8 @@ static int ast_srtp_create(struct ast_srtp **srtp, struct ast_rtp_instance *rtp,
 
        /* Any failures after this point can use ast_srtp_destroy to destroy the instance */
        if (srtp_create(&temp->session, &policy->sp) != err_status_ok) {
+               /* Session either wasn't created or was created and dealloced. */
+               temp->session = NULL;
                ast_srtp_destroy(temp);
                return -1;
        }