From: David Vossel <dvossel@digium.com>
Date: Thu, 23 Jun 2011 18:18:46 +0000 (+0000)
Subject: Merged revisions 324627 via svnmerge from
X-Git-Tag: 1.6.2.19-rc1~3^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc16ba95de73d7ec62957f71c08cdb8b8d05a522;p=thirdparty%2Fasterisk.git

Merged revisions 324627 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
  r324627 | dvossel | 2011-06-23 13:16:52 -0500 (Thu, 23 Jun 2011) | 7 lines

  Addresses AST-2011-010, remote crash in IAX2 driver

  Thanks to twilson for identifying the issue and providing the patches.

  AST-2011-010
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@324634 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 952092db82..6aea5fd69b 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -5081,7 +5081,14 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
 	case AST_OPTION_OPRMODE:
 		errno = EINVAL;
 		return -1;
-	default:
+ 	/* These options are sent to the other side across the network where
+ 	 * they will be passed to whatever channel is bridged there. Don't
+ 	 * do anything silly like pass an option that transmits pointers to
+ 	 * memory on this machine to a remote machine to use */
+ 	case AST_OPTION_TONE_VERIFY:
+ 	case AST_OPTION_TDD:
+ 	case AST_OPTION_RELAXDTMF:
+ 	case AST_OPTION_AUDIO_MODE:
 	{
 		unsigned short callno = PTR_TO_CALLNO(c->tech_pvt);
 		struct chan_iax2_pvt *pvt;
@@ -5109,7 +5116,12 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
 		ast_free(h);
 		return res;
 	}
+	default:
+		return -1;
 	}
+
+	/* Just in case someone does a break instead of a return */
+	return -1;
 }
 
 static struct ast_frame *iax2_read(struct ast_channel *c) 
diff --git a/main/features.c b/main/features.c
index c83b01456f..b57d7d137c 100644
--- a/main/features.c
+++ b/main/features.c
@@ -3132,10 +3132,19 @@ int ast_bridge_call(struct ast_channel *chan,struct ast_channel *peer,struct ast
 				break;
 			case AST_CONTROL_OPTION:
 				aoh = f->data.ptr;
-				/* Forward option Requests */
+				/* Forward option Requests, but only ones we know are safe
+				 * These are ONLY sent by chan_iax2 and I'm not convinced that
+				 * they are useful. I haven't deleted them entirely because I
+				 * just am not sure of the ramifications of removing them. */
 				if (aoh && aoh->flag == AST_OPTION_FLAG_REQUEST) {
-					ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
-						f->datalen - sizeof(struct ast_option_header), 0);
+				   	switch (ntohs(aoh->option)) {
+					case AST_OPTION_TONE_VERIFY:
+					case AST_OPTION_TDD:
+					case AST_OPTION_RELAXDTMF:
+					case AST_OPTION_AUDIO_MODE:
+						ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
+							f->datalen - sizeof(struct ast_option_header), 0);
+					}
 				}
 				break;
 			}