Addresses AST-2011-010, remote crash in IAX2 driver

Thanks to twilson for identifying the issue and providing the patches.

AST-2011-010

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@324627 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index b81a511240f6634ba31aeb5549d86b335421455e..1f82e8d82198202aa205671818c99e74642cdba1 100644 (file)
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -4652,7 +4652,14 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
                /* these two cannot be sent, because they require a result */
                errno = ENOSYS;
                return -1;
-       default:
+       /* These options are sent to the other side across the network where
+        * they will be passed to whatever channel is bridged there. Don't
+        * do anything silly like pass an option that transmits pointers to
+        * memory on this machine to a remote machine to use */
+       case AST_OPTION_TONE_VERIFY:
+       case AST_OPTION_TDD:
+       case AST_OPTION_RELAXDTMF:
+       case AST_OPTION_AUDIO_MODE:
        {
                unsigned short callno = PTR_TO_CALLNO(c->tech_pvt);
                struct chan_iax2_pvt *pvt;
@@ -4680,7 +4687,12 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
                free(h);
                return res;
        }
+       default:
+               return -1;
        }
+
+       /* Just in case someone does a break instead of a return */
+       return -1;
 }
 
 static struct ast_frame *iax2_read(struct ast_channel *c) 

diff --git a/res/res_features.c b/res/res_features.c
index 65852253034f53b67cea855f8d6968ad8d54d338..fa73dcdef3f27196d01b54f189d1cda7a471e61b 100644 (file)
--- a/res/res_features.c
+++ b/res/res_features.c
@@ -2381,10 +2381,19 @@ int ast_bridge_call(struct ast_channel *chan,struct ast_channel *peer,struct ast
                                break;
                        case AST_CONTROL_OPTION:
                                aoh = f->data;
-                               /* Forward option Requests */
+                               /* Forward option Requests, but only ones we know are safe
+                                * These are ONLY sent by chan_iax2 and I'm not convinced that
+                                * they are useful. I haven't deleted them entirely because I
+                                * just am not sure of the ramifications of removing them. */
                                if (aoh && aoh->flag == AST_OPTION_FLAG_REQUEST) {
-                                       ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
-                                               f->datalen - sizeof(struct ast_option_header), 0);
+                                       switch (ntohs(aoh->option)) {
+                                       case AST_OPTION_TONE_VERIFY:
+                                       case AST_OPTION_TDD:
+                                       case AST_OPTION_RELAXDTMF:
+                                       case AST_OPTION_AUDIO_MODE:
+                                               ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
+                                                       f->datalen - sizeof(struct ast_option_header), 0);
+                                       }
                                }
                                break;
                        }