From: Matt Jordan <mjordan@digium.com>
Date: Wed, 29 Apr 2015 21:15:43 +0000 (-0500)
Subject: main/rtp_engine: Fix DTLS double-free introduced by 0b6410c4f8
X-Git-Tag: 11.18.0-rc1~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28fd06bdcd2bf7fef2c6d7aa8bd80b4f5ffc1633;p=thirdparty%2Fasterisk.git

main/rtp_engine: Fix DTLS double-free introduced by 0b6410c4f8

The patch in 0b6410c4f8 did correctly fix a memory leak of the DTLS
structures in the RTP engine. However, when a 'core reload' is issued, a
double free of the memory pointed to by the char *'s in the DTLS
configuration struct can occur, as ast_rtp_dtls_cfg_free does not set
the pointers to NULL when they are freed.

This patch sets those pointers to NULL, preventing a second call to
ast_rtp_dtls_cfg_free from corrupting memory.

ASTERISK-25022

Change-Id: I820471e6070a37e3c26f760118c86770e12f6115
---

diff --git a/main/rtp_engine.c b/main/rtp_engine.c
index b16b5de968..13d003d4fb 100644
--- a/main/rtp_engine.c
+++ b/main/rtp_engine.c
@@ -2189,10 +2189,15 @@ void ast_rtp_dtls_cfg_copy(const struct ast_rtp_dtls_cfg *src_cfg, struct ast_rt
 void ast_rtp_dtls_cfg_free(struct ast_rtp_dtls_cfg *dtls_cfg)
 {
 	ast_free(dtls_cfg->certfile);
+	dtls_cfg->certfile = NULL;
 	ast_free(dtls_cfg->pvtfile);
+	dtls_cfg->pvtfile = NULL;
 	ast_free(dtls_cfg->cipher);
+	dtls_cfg->cipher = NULL;
 	ast_free(dtls_cfg->cafile);
+	dtls_cfg->cafile = NULL;
 	ast_free(dtls_cfg->capath);
+	dtls_cfg->capath = NULL;
 }
 
 static void set_next_mime_type(const struct ast_format *format, int rtp_code, char *type, char *subtype, unsigned int sample_rate)