In chan_agent, while handling a channel indicate, the agent channel driver
must obtain a lock on both the agent channel, as well as the channel the
agent channel is using. To do so, it attempts to lock the other channel
first, then unlock the agent channel which is locked prior to entry into
the indicate handler. If this unlock fails with a negative return value,
which can occur if the object passed to agent_indicate is an invalid ao2
object or is NULL, the return value is passed directly to strerror, which
can only accept positive integer values.
In chan_dahdi, the return value of dahdi_get_index is used to directly
index into the sub-channel array. If dahd_get_index returns a negative
value, it would use that value to index into the array, which could cause
an invalid memory access. If dahdi_get_index returns a negative number,
we now default to SUB_REAL.
(issue ASTERISK-19655)
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/1863/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@362204
65c4cc65-6c06-0410-ace0-
fbb531ad65f3
while (ast_channel_trylock(p->chan)) {
int res;
if ((res = ast_channel_unlock(ast))) {
- ast_log(LOG_ERROR, "chan_agent bug! Channel was not locked upon entry to agent_indicate: %s\n", strerror(res));
+ ast_log(LOG_ERROR, "chan_agent bug! Channel was not locked upon entry to agent_indicate: %s\n", res > 0 ? strerror(res) : "Bad ao2obj data");
ast_mutex_unlock(&p->lock);
return -1;
}
int usedindex = -1;
struct dahdi_pvt *p = ast->tech_pvt;
- idx = dahdi_get_index(ast, p, 1);
+ if ((idx = dahdi_get_index(ast, p, 0)) < 0) {
+ idx = SUB_REAL;
+ }
p->subs[idx].f.frametype = AST_FRAME_NULL;
p->subs[idx].f.datalen = 0;
projects / thirdparty / asterisk.git / commitdiff
