Author: coreyfarrell Date: Mon Nov 17 10:00:54 2014 New Revision: 428119 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=428119 Log: chan_sip: Fix theoretical leak of p->refer.
If transmit_refer is called when p->refer is already allocated, it leaks the previous allocation. Updated code to always free previous allocation during a new allocation. Also instead of checking if we have a previous allocation, always create a clean record. ASTERISK-15242 #close Reported by: David Woolley Review: https://reviewboard.asterisk.org/r/4160/ ........ Merged revisions 428117 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 428118 from http://svn.asterisk.org/svn/asterisk/branches/12 Modified: branches/13/ (props changed) branches/13/channels/chan_sip.c Propchange: branches/13/ ------------------------------------------------------------------------------ Binary property 'branch-12-merged' - no diff available. Modified: branches/13/channels/chan_sip.c URL: http://svnview.digium.com/svn/asterisk/branches/13/channels/chan_sip.c?view=diff&rev=428119&r1=428118&r2=428119 ============================================================================== --- branches/13/channels/chan_sip.c (original) +++ branches/13/channels/chan_sip.c Mon Nov 17 10:00:54 2014 @@ -1257,6 +1257,7 @@ static struct ast_channel *sip_pvt_lock_full(struct sip_pvt *pvt); /* static int sip_addrcmp(char *name, struct sockaddr_in *sin); Support for peer matching */ static int sip_refer_alloc(struct sip_pvt *p); +static void sip_refer_destroy(struct sip_pvt *p); static int sip_notify_alloc(struct sip_pvt *p); static int do_magic_pickup(struct ast_channel *channel, const char *extension, const char *context); static void set_peer_nat(const struct sip_pvt *p, struct sip_peer *peer); @@ -6476,11 +6477,7 @@ ast_udptl_destroy(p->udptl); p->udptl = NULL; } - if (p->refer) { - ast_string_field_free_memory(p->refer); - ast_free(p->refer); - p->refer = NULL; - } + sip_refer_destroy(p); sip_route_clear(&p->route); deinit_req(&p->initreq); @@ -15555,8 +15552,19 @@ /*! \brief Allocate SIP refer structure */ static int sip_refer_alloc(struct sip_pvt *p) { + sip_refer_destroy(p); p->refer = ast_calloc_with_stringfields(1, struct sip_refer, 512); return p->refer ? 1 : 0; +} + +/*! \brief Destroy SIP refer structure */ +static void sip_refer_destroy(struct sip_pvt *p) +{ + if (p->refer) { + ast_string_field_free_memory(p->refer); + ast_free(p->refer); + p->refer = NULL; + } } /*! \brief Allocate SIP refer structure */ @@ -18114,8 +18122,9 @@ struct sip_refer *refer = NULL; const char *transfer_context = NULL; - if (!p->refer && !sip_refer_alloc(p)) + if (!sip_refer_alloc(p)) { return -1; + } refer = p->refer; @@ -25233,7 +25242,7 @@ replace_id = ast_strdupa(p_replaces); ast_uri_decode(replace_id, ast_uri_sip_user); - if (!p->refer && !sip_refer_alloc(p)) { + if (!sip_refer_alloc(p)) { transmit_response_reliable(p, "500 Server Internal Error", req); append_history(p, "Xfer", "INVITE/Replace Failed. Out of memory."); sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); @@ -26092,7 +26101,7 @@ } /* Allocate memory for call transfer data */ - if (!p->refer && !sip_refer_alloc(p)) { + if (!sip_refer_alloc(p)) { transmit_response(p, "500 Internal Server Error", req); append_history(p, "Xfer", "Refer failed. Memory allocation error."); return -3; -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
