From: Richard Mudgett <rmudgett@digium.com>
Date: Tue, 1 Nov 2016 18:13:13 +0000 (-0500)
Subject: bundled pjproject: Fix DNS write to freed memory.
X-Git-Tag: 13.13.0-rc1~52^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=afecb2cfc084db522cf570aa2210056b1c396196;p=thirdparty%2Fasterisk.git

bundled pjproject: Fix DNS write to freed memory.

PJPROJECT 2.5.5 introduced a race condition with the -r5349 IPv6 DNS
patch.

The patch below fixes a write to freed memory under cartain DNS lookup
conditions.

0006-r5477-svn-backport-Fix-DNS-write-on-freed-memory.patch

ASTERISK-26516
Reported by:  Richard Mudgett

Change-Id: Ifdfae9ecf1e41b53080f33aab44ce1a220f349c5
---

diff --git a/third-party/pjproject/patches/0006-r5477-svn-backport-Fix-DNS-write-on-freed-memory.patch b/third-party/pjproject/patches/0006-r5477-svn-backport-Fix-DNS-write-on-freed-memory.patch
new file mode 100644
index 0000000000..f70dd45e7a
--- /dev/null
+++ b/third-party/pjproject/patches/0006-r5477-svn-backport-Fix-DNS-write-on-freed-memory.patch
@@ -0,0 +1,33 @@
+From 732a997010d60fe93a7453e809672386749b0afc Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett@digium.com>
+Date: Tue, 1 Nov 2016 12:55:31 -0500
+Subject: [PATCH] r5477 svn backport Fix DNS write on freed memory.
+
+Re #1974: Fix DNS write on freed memory.
+Thanks to Richard Mudgett for the patch.
+---
+ pjlib-util/src/pjlib-util/resolver.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/pjlib-util/src/pjlib-util/resolver.c b/pjlib-util/src/pjlib-util/resolver.c
+index 52b7655..365772e 100644
+--- a/pjlib-util/src/pjlib-util/resolver.c
++++ b/pjlib-util/src/pjlib-util/resolver.c
+@@ -908,7 +908,13 @@ PJ_DEF(pj_status_t) pj_dns_resolver_start_query( pj_dns_resolver *resolver,
+ 	    /* Must return PJ_SUCCESS */
+ 	    status = PJ_SUCCESS;
+ 
+-	    goto on_return;
++	    /*
++	     * We cannot write to *p_query after calling cb because what
++	     * p_query points to may have been freed by cb.
++             * Refer to ticket #1974.
++	     */
++	    pj_mutex_unlock(resolver->mutex);
++	    return status;
+ 	}
+ 
+ 	/* At this point, we have a cached entry, but this entry has expired.
+-- 
+1.7.9.5
+