From: Alec L Davis <sivad.a@paradise.net.nz>
Date: Fri, 19 Mar 2010 08:05:06 +0000 (+0000)
Subject: Merged revisions 253490 via svnmerge from
X-Git-Tag: 1.6.2.7-rc1~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b885f3d04fc8a84e5093dc87d2526abb77218fb;p=thirdparty%2Fasterisk.git

Merged revisions 253490 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
  r253490 | alecdavis | 2010-03-19 20:37:00 +1300 (Fri, 19 Mar 2010) | 19 lines

  prevent segfault if bad magic number is encountered.

  internal_ao2_ref uses INTERNAL_OBJ which mzy report 'bad magic number', but
  internal_ao2_ref continues on, causing segfault.

  Although AO2_MAGIC number is checked by INTERNAL_OBJ before internal_ao2_ref is
  called, A02_MAGIC is being destroyed (or a wrong pointer) by the time
  internal_ao2_ref uses INTERNAL_OBJ.

  internal_ao2_ref now returns -1 if INTERNAL_OBJ encouters a bad magic number.

  (issue #17037)
  Reported by: alecdavis
  Patches:
        bug17037.diff.txt uploaded by alecdavis (license 585)
  Tested by: alecdavis
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@253492 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/main/astobj2.c b/main/astobj2.c
index 53f263946a..cab3e06e26 100644
--- a/main/astobj2.c
+++ b/main/astobj2.c
@@ -262,6 +262,9 @@ static int __ao2_ref(void *user_data, const int delta)
 	int current_value;
 	int ret;
 
+	if (obj == NULL)
+		return -1;
+
 	/* if delta is 0, just return the refcount */
 	if (delta == 0)
 		return (obj->priv_data.ref_counter);
@@ -498,7 +501,7 @@ static struct bucket_list *__ao2_link(struct ao2_container *c, void *user_data,
 	struct bucket_list *p;
 	struct astobj2 *obj = INTERNAL_OBJ(user_data);
 
-	if (!obj)
+	if (obj == NULL)
 		return NULL;
 
 	if (INTERNAL_OBJ(c) == NULL)