git.ipfire.org Git - thirdparty/asterisk.git/commit

author	Joshua Colp <jcolp@digium.com>
	Wed, 10 Dec 2014 13:32:48 +0000 (13:32 +0000)
committer	Joshua Colp <jcolp@digium.com>
	Wed, 10 Dec 2014 13:32:48 +0000 (13:32 +0000)
commit	d321fd18d4b844505486420603e2e130409ca29b
tree	8c9f5b06e09b297385c361687f18fa171991f7a7	tree
parent	d05509182c70c5efb2af496fddea4b9e376ecacd	commit \| diff

res_http_websocket: Fix crash due to double freeing memory when receiving a payload length of zero.

Frames with a payload length of 0 were incorrectly handled in res_http_websocket.
Provided a frame with a payload had been received prior it was possible for a double
free to occur. The realloc operation would succeed (thus freeing the payload) but be
treated as an error. When the session was then torn down the payload would be
freed again causing a crash. The read function now takes this into account.

This change also fixes assumptions made by users of res_http_websocket. There is no
guarantee that a frame received from it will be NULL terminated.

ASTERISK-24472 #close
Reported by: Badalian Vyacheslav

Review: https://reviewboard.asterisk.org/r/4220/
Review: https://reviewboard.asterisk.org/r/4219/
........

Merged revisions 429270 from http://svn.asterisk.org/svn/asterisk/branches/11

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@429272 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_sip.c		diff \| blob \| blame \| history
res/res_http_websocket.c		diff \| blob \| blame \| history
res/res_pjsip_transport_websocket.c		diff \| blob \| blame \| history