Merged revisions 253490 via svnmerge from

https://origsvn.digium.com/svn/asterisk/trunk

........
  r253490 | alecdavis | 2010-03-19 20:37:00 +1300 (Fri, 19 Mar 2010) | 19 lines

  prevent segfault if bad magic number is encountered.

  internal_ao2_ref uses INTERNAL_OBJ which mzy report 'bad magic number', but
  internal_ao2_ref continues on, causing segfault.

  Although AO2_MAGIC number is checked by INTERNAL_OBJ before internal_ao2_ref is
  called, A02_MAGIC is being destroyed (or a wrong pointer) by the time
  internal_ao2_ref uses INTERNAL_OBJ.

  internal_ao2_ref now returns -1 if INTERNAL_OBJ encouters a bad magic number.

  (issue #17037)
  Reported by: alecdavis
  Patches:
        bug17037.diff.txt uploaded by alecdavis (license 585)
  Tested by: alecdavis
........

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@253492 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/main/astobj2.c b/main/astobj2.c
index 53f263946a87201c6829fb3ff4bb5bc830347dc3..cab3e06e26ed4d3ea0139f91a452af5100ce7486 100644 (file)
--- a/main/astobj2.c
+++ b/main/astobj2.c
@@ -262,6 +262,9 @@ static int __ao2_ref(void *user_data, const int delta)
        int current_value;
        int ret;
 
+       if (obj == NULL)
+               return -1;
+
        /* if delta is 0, just return the refcount */
        if (delta == 0)
                return (obj->priv_data.ref_counter);
@@ -498,7 +501,7 @@ static struct bucket_list *__ao2_link(struct ao2_container *c, void *user_data,
        struct bucket_list *p;
        struct astobj2 *obj = INTERNAL_OBJ(user_data);
 
-       if (!obj)
+       if (obj == NULL)
                return NULL;
 
        if (INTERNAL_OBJ(c) == NULL)