From: Pirmin Walthert Date: Tue, 14 Apr 2020 15:31:15 +0000 (+0200) Subject: res_rtp_asterisk: Free payload when error on insertion to data buffer X-Git-Tag: 17.4.0-rc1~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26dec6659883d5145a13e09465dbf0504f06cefe;p=thirdparty%2Fasterisk.git res_rtp_asterisk: Free payload when error on insertion to data buffer When the ast_data_buffer_put rejects to add a packet, for example because the buffer already contains a packet with the same sequence number, the payload will never be freed, resulting in a memory leak. The data buffer will now return an error if this situation occurs allowing the caller to free the payload. The res_rtp_asterisk module has also been updated to do this. ASTERISK-28826 Change-Id: Ie6c49495d1c921d5f997651c7d0f79646f095cf1 --- diff --git a/main/data_buffer.c b/main/data_buffer.c index cfc323c680..85e79711c4 100644 --- a/main/data_buffer.c +++ b/main/data_buffer.c @@ -254,7 +254,7 @@ int ast_data_buffer_put(struct ast_data_buffer *buffer, size_t pos, void *payloa AST_LIST_TRAVERSE_SAFE_END; if (inserted == -1) { - return 0; + return -1; } if (!inserted) { diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c index 4fc42177ce..5dd5d355f1 100644 --- a/res/res_rtp_asterisk.c +++ b/res/res_rtp_asterisk.c @@ -4991,7 +4991,9 @@ static int rtp_raw_write(struct ast_rtp_instance *instance, struct ast_frame *fr if (payload) { payload->size = packet_len; memcpy(payload->buf, rtpheader, packet_len); - ast_data_buffer_put(rtp->send_buffer, rtp->seqno, payload); + if (ast_data_buffer_put(rtp->send_buffer, rtp->seqno, payload) == -1) { + ast_free(payload); + } } } @@ -7938,7 +7940,9 @@ static struct ast_frame *ast_rtp_read(struct ast_rtp_instance *instance, int rtc payload->size = res; memcpy(payload->buf, rtpheader, res); - ast_data_buffer_put(rtp->recv_buffer, seqno, payload); + if (ast_data_buffer_put(rtp->recv_buffer, seqno, payload) == -1) { + ast_free(payload); + } /* If this sequence number is removed that means we had a gap and this packet has filled it in * some. Since it was part of the gap we will have already added any other missing sequence numbers