Merged revisions 324627 via svnmerge from

https://origsvn.digium.com/svn/asterisk/branches/1.4

........
  r324627 | dvossel | 2011-06-23 13:16:52 -0500 (Thu, 23 Jun 2011) | 7 lines

  Addresses AST-2011-010, remote crash in IAX2 driver

  Thanks to twilson for identifying the issue and providing the patches.

  AST-2011-010
........

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@324634 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 952092db82bf805b3fa5055540d57338b0b05930..6aea5fd69b16fc49b8b98a903c864c907015ab43 100644 (file)
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -5081,7 +5081,14 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
        case AST_OPTION_OPRMODE:
                errno = EINVAL;
                return -1;
-       default:
+       /* These options are sent to the other side across the network where
+        * they will be passed to whatever channel is bridged there. Don't
+        * do anything silly like pass an option that transmits pointers to
+        * memory on this machine to a remote machine to use */
+       case AST_OPTION_TONE_VERIFY:
+       case AST_OPTION_TDD:
+       case AST_OPTION_RELAXDTMF:
+       case AST_OPTION_AUDIO_MODE:
        {
                unsigned short callno = PTR_TO_CALLNO(c->tech_pvt);
                struct chan_iax2_pvt *pvt;
@@ -5109,7 +5116,12 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
                ast_free(h);
                return res;
        }
+       default:
+               return -1;
        }
+
+       /* Just in case someone does a break instead of a return */
+       return -1;
 }
 
 static struct ast_frame *iax2_read(struct ast_channel *c) 

diff --git a/main/features.c b/main/features.c
index c83b01456fdd5aab1bc9f9e49dbaae2b8a8b1afd..b57d7d137ce8298113386d72a9efa577aaecf57a 100644 (file)
--- a/main/features.c
+++ b/main/features.c
@@ -3132,10 +3132,19 @@ int ast_bridge_call(struct ast_channel *chan,struct ast_channel *peer,struct ast
                                break;
                        case AST_CONTROL_OPTION:
                                aoh = f->data.ptr;
-                               /* Forward option Requests */
+                               /* Forward option Requests, but only ones we know are safe
+                                * These are ONLY sent by chan_iax2 and I'm not convinced that
+                                * they are useful. I haven't deleted them entirely because I
+                                * just am not sure of the ramifications of removing them. */
                                if (aoh && aoh->flag == AST_OPTION_FLAG_REQUEST) {
-                                       ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
-                                               f->datalen - sizeof(struct ast_option_header), 0);
+                                       switch (ntohs(aoh->option)) {
+                                       case AST_OPTION_TONE_VERIFY:
+                                       case AST_OPTION_TDD:
+                                       case AST_OPTION_RELAXDTMF:
+                                       case AST_OPTION_AUDIO_MODE:
+                                               ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
+                                                       f->datalen - sizeof(struct ast_option_header), 0);
+                                       }
                                }
                                break;
                        }