From: Joshua Colp <jcolp@digium.com>
Date: Wed, 12 Nov 2014 16:11:37 +0000 (+0000)
Subject: pbx: Fix off-nominal case where a freed extension may still be used.
X-Git-Tag: 12.8.0-rc1~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a629f92eed7e9bfd3575b75ad6b0937e5200bd5f;p=thirdparty%2Fasterisk.git

pbx: Fix off-nominal case where a freed extension may still be used.

If during the operation of adding an extension a priority is added but
fails it is possible for the extension to be freed but still exist in
the PBX core. If this occurs subsequent lookups may try to access the
extension and end up in freed memory.

This change removes the extension from the PBX core when the priority
addition fails and then frees the extension.

ASTERISK-24444 #close
Reported by: Leandro Dardini

Review: https://reviewboard.asterisk.org/r/4162/
........

Merged revisions 427709 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@427710 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/main/pbx.c b/main/pbx.c
index b1f8ad6ca0..cc686558fd 100644
--- a/main/pbx.c
+++ b/main/pbx.c
@@ -9728,13 +9728,7 @@ static int add_priority(struct ast_context *con, struct ast_exten *tmp,
 					"Unable to register extension '%s' priority %d in '%s', already in use\n",
 					tmp->exten, tmp->priority, con->name);
 			}
-			if (tmp->datad) {
-				tmp->datad(tmp->data);
-				/* if you free this, null it out */
-				tmp->data = NULL;
-			}
 
-			ast_free(tmp);
 			return -1;
 		}
 		/* we are replacing e, so copy the link fields and then update
@@ -10018,6 +10012,26 @@ static int ast_add_extension2_lockopt(struct ast_context *con,
 	}
 	if (e && res == 0) { /* exact match, insert in the priority chain */
 		res = add_priority(con, tmp, el, e, replace);
+		if (res < 0) {
+			if (con->pattern_tree) {
+				struct match_char *x = add_exten_to_pattern_tree(con, tmp, 1);
+
+				if (x->exten) {
+					x->deleted = 1;
+					x->exten = 0;
+				}
+
+				ast_hashtab_remove_this_object(con->root_table, tmp);
+			}
+
+			if (tmp->datad) {
+				tmp->datad(tmp->data);
+				/* if you free this, null it out */
+				tmp->data = NULL;
+			}
+
+			ast_free(tmp);
+		}
 		if (lock_context) {
 			ast_unlock_context(con);
 		}