file:///srv/subversion/repos/asterisk/branches/10
........
r368947 | mjordan | 2012-06-14 12:31:33 -0500 (Thu, 14 Jun 2012) | 21 lines
AST-2012-009: Fix crash in chan_skinny due to Key Pad Button Message handling
AST-2012-008 (r367844) fixed a denial of service attack exploitable in the
Skinny channel driver that occurred when certain messages are sent after a
previously registered station sends an Off Hook message. Unresolved in that
patch is an issue in the Asterisk 10 releases, wherein, if a Station Key
Pad Button Message is processed after an Off Hook message, the channel driver
will inappropriately dereference a NULL pointer.
This patch fixes those places where the message handling or the channel
callback functions would attempt to dereference the line's pointer to the
device.
(issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Christoph Hebeisen
Patches:
AST-2012-009-10.diff uploaded by mjordan (license 6283)
........
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10-digiumphones@368960
65c4cc65-6c06-0410-ace0-
fbb531ad65f3
pthread_t t;
int actualstate = state;
+ if (!l->device) {
+ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+ return;
+ }
+
if (sub->substate == SUBSTATE_ONHOOK) {
return;
}
struct skinny_subchannel *activatesub = NULL;
struct skinny_subchannel *tsub;
+ if (!l->device) {
+ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+ return;
+ }
+
if (skinnydebug) {
ast_verb(3, "Sub %d - Dumping\n", sub->callid);
}
-
+
if (!forcehangup && sub->substate == SUBSTATE_HOLD) {
l->activesub = NULL;
return;
}
-
+
if (sub == l->activesub) {
d->hookstate = SKINNY_ONHOOK;
transmit_speaker_mode(d, SKINNY_SPEAKEROFF);
projects / thirdparty / asterisk.git / commitdiff
