From 3c6ba6fa5a6942a9894ec169e6fd00523aa9684d Mon Sep 17 00:00:00 2001 From: Matthew Jordan Date: Mon, 16 Apr 2012 21:57:19 +0000 Subject: [PATCH] Fix negative return handling in channel drivers In chan_agent, while handling a channel indicate, the agent channel driver must obtain a lock on both the agent channel, as well as the channel the agent channel is using. To do so, it attempts to lock the other channel first, then unlock the agent channel which is locked prior to entry into the indicate handler. If this unlock fails with a negative return value, which can occur if the object passed to agent_indicate is an invalid ao2 object or is NULL, the return value is passed directly to strerror, which can only accept positive integer values. In chan_dahdi, the return value of dahdi_get_index is used to directly index into the sub-channel array. If dahd_get_index returns a negative value, it would use that value to index into the array, which could cause an invalid memory access. If dahdi_get_index returns a negative number, we now default to SUB_REAL. (issue ASTERISK-19655) Reported by: Matt Jordan Review: https://reviewboard.asterisk.org/r/1863/ ........ Merged revisions 362204 from http://svn.asterisk.org/svn/asterisk/branches/1.8 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@362205 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_agent.c | 2 +- channels/chan_dahdi.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/channels/chan_agent.c b/channels/chan_agent.c index 979cbba344..1acbc82e49 100644 --- a/channels/chan_agent.c +++ b/channels/chan_agent.c @@ -779,7 +779,7 @@ static int agent_indicate(struct ast_channel *ast, int condition, const void *da while (ast_channel_trylock(p->chan)) { int res; if ((res = ast_channel_unlock(ast))) { - ast_log(LOG_ERROR, "chan_agent bug! Channel was not locked upon entry to agent_indicate: %s\n", strerror(res)); + ast_log(LOG_ERROR, "chan_agent bug! Channel was not locked upon entry to agent_indicate: %s\n", res > 0 ? strerror(res) : "Bad ao2obj data"); ast_mutex_unlock(&p->lock); return -1; } diff --git a/channels/chan_dahdi.c b/channels/chan_dahdi.c index 66692175e7..6c52a05613 100644 --- a/channels/chan_dahdi.c +++ b/channels/chan_dahdi.c @@ -8811,7 +8811,9 @@ static struct ast_frame *__dahdi_exception(struct ast_channel *ast) int usedindex = -1; struct dahdi_pvt *p = ast->tech_pvt; - idx = dahdi_get_index(ast, p, 1); + if ((idx = dahdi_get_index(ast, p, 0)) < 0) { + idx = SUB_REAL; + } p->subs[idx].f.frametype = AST_FRAME_NULL; p->subs[idx].f.datalen = 0; -- 2.47.2