Author: file Date: Wed Nov 12 10:11:37 2014 New Revision: 427710 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=427710 Log: pbx: Fix off-nominal case where a freed extension may still be used.
If during the operation of adding an extension a priority is added but fails it is possible for the extension to be freed but still exist in the PBX core. If this occurs subsequent lookups may try to access the extension and end up in freed memory. This change removes the extension from the PBX core when the priority addition fails and then frees the extension. ASTERISK-24444 #close Reported by: Leandro Dardini Review: https://reviewboard.asterisk.org/r/4162/ ........ Merged revisions 427709 from http://svn.asterisk.org/svn/asterisk/branches/11 Modified: branches/12/ (props changed) branches/12/main/pbx.c Propchange: branches/12/ ------------------------------------------------------------------------------ Binary property 'branch-11-merged' - no diff available. Modified: branches/12/main/pbx.c URL: http://svnview.digium.com/svn/asterisk/branches/12/main/pbx.c?view=diff&rev=427710&r1=427709&r2=427710 ============================================================================== --- branches/12/main/pbx.c (original) +++ branches/12/main/pbx.c Wed Nov 12 10:11:37 2014 @@ -9728,13 +9728,7 @@ "Unable to register extension '%s' priority %d in '%s', already in use\n", tmp->exten, tmp->priority, con->name); } - if (tmp->datad) { - tmp->datad(tmp->data); - /* if you free this, null it out */ - tmp->data = NULL; - } - - ast_free(tmp); + return -1; } /* we are replacing e, so copy the link fields and then update @@ -10018,6 +10012,26 @@ } if (e && res == 0) { /* exact match, insert in the priority chain */ res = add_priority(con, tmp, el, e, replace); + if (res < 0) { + if (con->pattern_tree) { + struct match_char *x = add_exten_to_pattern_tree(con, tmp, 1); + + if (x->exten) { + x->deleted = 1; + x->exten = 0; + } + + ast_hashtab_remove_this_object(con->root_table, tmp); + } + + if (tmp->datad) { + tmp->datad(tmp->data); + /* if you free this, null it out */ + tmp->data = NULL; + } + + ast_free(tmp); + } if (lock_context) { ast_unlock_context(con); } -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
