Fix unintential memory retention in stringfields.

* Fix missing / unreachable calls to __ast_string_field_release_active.
* Reset pool->used to zero when the current pool->active reaches zero.

ASTERISK-24307 #close
Reported by: Etienne Lessard
Tested by: ibercom, Etienne Lessard
Review: https://reviewboard.asterisk.org/r/4114/

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@427380 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/include/asterisk/stringfields.h b/include/asterisk/stringfields.h
index 6812f5fce82c333dadaffee7a27010c3be892c1e..37aad7d6cec0afbbad94a083d750e6138867c7de 100644 (file)
--- a/include/asterisk/stringfields.h
+++ b/include/asterisk/stringfields.h
@@ -319,14 +319,16 @@ void __ast_string_field_release_active(struct ast_string_field_pool *pool_head,
        const char *__d__ = (data);                                                                                     \
        size_t __dlen__ = (__d__) ? strlen(__d__) + 1 : 1;                                                              \
        ast_string_field *__p__ = (ast_string_field *) (ptr);                                                           \
+       ast_string_field target = *__p__;                                                                               \
        if (__dlen__ == 1) {                                                                                            \
                __ast_string_field_release_active((x)->__field_mgr_pool, *__p__);                                       \
                *__p__ = __ast_string_field_empty;                                                                      \
        } else if ((__dlen__ <= AST_STRING_FIELD_ALLOCATION(*__p__)) ||                                                 \
                   (!__ast_string_field_ptr_grow(&(x)->__field_mgr, &(x)->__field_mgr_pool, __dlen__, __p__)) ||        \
-                  (*__p__ = __ast_string_field_alloc_space(&(x)->__field_mgr, &(x)->__field_mgr_pool, __dlen__))) {    \
-               if (*__p__ != (*ptr)) {                                                                                 \
-                       __ast_string_field_release_active((x)->__field_mgr_pool, (*ptr));                               \
+                  (target = __ast_string_field_alloc_space(&(x)->__field_mgr, &(x)->__field_mgr_pool, __dlen__))) {    \
+               if (target != *__p__) {                                                                                 \
+                       __ast_string_field_release_active((x)->__field_mgr_pool, *__p__);                               \
+                       *__p__ = target;                                                                                \
                }                                                                                                       \
                memcpy(* (void **) __p__, __d__, __dlen__);                                                             \
        }                                                                                                               \

diff --git a/main/utils.c b/main/utils.c
index 78c28a6c0235dbd0d425a0152d7b07819d0757e8..5ccd79e2eab28c6d84525184f3c070a8457419a9 100644 (file)
--- a/main/utils.c
+++ b/main/utils.c
@@ -1919,9 +1919,13 @@ void __ast_string_field_release_active(struct ast_string_field_pool *pool_head,
        for (pool = pool_head, prev = NULL; pool; prev = pool, pool = pool->prev) {
                if ((ptr >= pool->base) && (ptr <= (pool->base + pool->size))) {
                        pool->active -= AST_STRING_FIELD_ALLOCATION(ptr);
-                       if ((pool->active == 0) && prev) {
-                               prev->prev = pool->prev;
-                               ast_free(pool);
+                       if (pool->active == 0) {
+                               if (prev) {
+                                       prev->prev = pool->prev;
+                                       ast_free(pool);
+                               } else {
+                                       pool->used = 0;
+                               }
                        }
                        break;
                }
@@ -1966,6 +1970,11 @@ void __ast_string_field_ptr_build_va(struct ast_string_field_mgr *mgr,
                /* Are we out of memory? */
                return;
        }
+       if (res == 0) {
+               __ast_string_field_release_active(*pool_head, *ptr);
+               *ptr = __ast_string_field_empty;
+               return;
+       }
        needed = (size_t)res + 1; /* NUL byte */
 
        if (needed > available) {