[svn-commits] bebuild: tag certified-11.6-cert9 r429306 - in /certified/tags/11.6-cert9: ./...

[SVN commits to the Digium repositories]

Author: bebuild
Date: Wed Dec 10 08:27:26 2014
New Revision: 429306

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=429306
Log:
Merge r429271 for AST-2014-019

Modified:
    certified/tags/11.6-cert9/   (props changed)
    certified/tags/11.6-cert9/ChangeLog
    certified/tags/11.6-cert9/channels/chan_sip.c
    certified/tags/11.6-cert9/res/res_http_websocket.c

Propchange: certified/tags/11.6-cert9/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 10 08:27:26 2014
@@ -1,3 +1,3 @@
 /branches/11:399513,401167,401179,401182,415825
 /certified/branches/1.8.15:382389
-/certified/branches/11.6:423426,426053,428300,428344,428397,428432
+/certified/branches/11.6:423426,426053,428300,428344,428397,428432,429271

Modified: certified/tags/11.6-cert9/ChangeLog
URL: 
http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert9/ChangeLog?view=diff&rev=429306&r1=429305&r2=429306
==============================================================================
--- certified/tags/11.6-cert9/ChangeLog (original)
+++ certified/tags/11.6-cert9/ChangeLog Wed Dec 10 08:27:26 2014
@@ -1,3 +1,25 @@
+2014-12-10  Asterisk Development Team <asteriskt...@digium.com>
+
+       * Certified Asterisk 11.6-cert9 Released.
+
+       * AST-2014-019: Fix crash when receiving a WebSocket packet with a
+         payload length of zero.
+
+         Frames with a payload length of 0 were incorrectly handled in
+         res_http_websocket. Provided a frame with a payload had been
+         received prior it was possible for a double free to occur. The
+         realloc operation would succeed (thus freeing the payload) but be
+         treated as an error. When the session was then torn down the payload
+         would be freed again causing a crash. The read function now takes
+         this into account.
+
+         This change also fixes assumptions made by users of
+         res_http_websocket. There is no guarantee that a frame received from
+         it will be NULL terminated.
+
+         ASTERISK-24472 #close
+         Reported by: Badalian Vyacheslav
+
 2014-11-20  Asterisk Development Team <asteriskt...@digium.com>
 
        * Certified Asterisk 11.6-cert8 Released.

Modified: certified/tags/11.6-cert9/channels/chan_sip.c
URL: 
http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert9/channels/chan_sip.c?view=diff&rev=429306&r1=429305&r2=429306
==============================================================================
--- certified/tags/11.6-cert9/channels/chan_sip.c (original)
+++ certified/tags/11.6-cert9/channels/chan_sip.c Wed Dec 10 08:27:26 2014
@@ -2604,12 +2604,16 @@
 
                if (opcode == AST_WEBSOCKET_OPCODE_TEXT || opcode == 
AST_WEBSOCKET_OPCODE_BINARY) {
                        struct sip_request req = { 0, };
+                       char data[payload_len + 1];
 
                        if (!(req.data = ast_str_create(payload_len + 1))) {
                                goto end;
                        }
 
-                       if (ast_str_set(&req.data, -1, "%s", payload) == 
AST_DYNSTR_BUILD_FAILED) {
+                       strncpy(data, payload, payload_len);
+                       data[payload_len] = '\0';
+
+                       if (ast_str_set(&req.data, -1, "%s", data) == 
AST_DYNSTR_BUILD_FAILED) {
                                deinit_req(&req);
                                goto end;
                        }

Modified: certified/tags/11.6-cert9/res/res_http_websocket.c
URL: 
http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert9/res/res_http_websocket.c?view=diff&rev=429306&r1=429305&r2=429306
==============================================================================
--- certified/tags/11.6-cert9/res/res_http_websocket.c (original)
+++ certified/tags/11.6-cert9/res/res_http_websocket.c Wed Dec 10 08:27:26 2014
@@ -402,20 +402,27 @@
                        }
                }
 
-               if (!(new_payload = ast_realloc(session->payload, 
session->payload_len + *payload_len))) {
-                       *payload_len = 0;
-                       ast_websocket_close(session, 1009);
-                       return 0;
-               }
-
                /* Per the RFC for PING we need to send back an opcode with the 
application data as received */
                if (*opcode == AST_WEBSOCKET_OPCODE_PING) {
                        ast_websocket_write(session, AST_WEBSOCKET_OPCODE_PONG, 
*payload, *payload_len);
                }
 
-               session->payload = new_payload;
-               memcpy(session->payload + session->payload_len, *payload, 
*payload_len);
-               session->payload_len += *payload_len;
+               if (*payload_len) {
+                       if (!(new_payload = ast_realloc(session->payload, 
(session->payload_len + *payload_len)))) {
+                               ast_log(LOG_WARNING, "Failed allocation: %p, 
%zu, %"PRIu64"\n",
+                                       session->payload, session->payload_len, 
*payload_len);
+                               *payload_len = 0;
+                               ast_websocket_close(session, 1009);
+                               return 0;
+                       }
+ 
+                       session->payload = new_payload;
+                       memcpy((session->payload + session->payload_len), 
(*payload), (*payload_len));
+                       session->payload_len += *payload_len;
+               } else if (!session->payload_len && session->payload) {
+                       ast_free(session->payload);
+                       session->payload = NULL;
+               }
 
                if (!fin && session->reconstruct && (session->payload_len < 
session->reconstruct)) {
                        /* If this is not a final message we need to defer 
returning it until later */


-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

svn-commits mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/svn-commits