[Pkg-voip-commits] r9739 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2012-008 patches/series patches/skinny_fix_16040
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Wed May 30 13:53:15 UTC 2012
Author: tzafrir
Date: Wed May 30 13:53:15 2012
New Revision: 9739
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9739
Log:
Patch AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny
(Closes: ).
Added:
asterisk/branches/squeeze/debian/patches/AST-2012-008
asterisk/branches/squeeze/debian/patches/skinny_fix_16040
Modified:
asterisk/branches/squeeze/debian/changelog
asterisk/branches/squeeze/debian/patches/series
Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9739&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Wed May 30 13:53:15 2012
@@ -3,6 +3,8 @@
* NOT RELEASED YET
* Patch AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without
suggested MOH class crash (Closes: ).
+ * Patch AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny
+ (Closes: ).
-- Tzafrir Cohen <tzafrir at debian.org> Wed, 30 May 2012 15:01:36 +0300
Added: asterisk/branches/squeeze/debian/patches/AST-2012-008
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-008?rev=9739&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-008 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-008 Wed May 30 13:53:15 2012
@@ -1,0 +1,133 @@
+From: Matthew Jordan <mjordan at digium.com>
+Date: Tue, 29 May 2012 18:30:25 +0000
+Subject: [PATCH] AST-2012-008: remote crash issue in chan_skinny
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-19905
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=367843
+
+When a skinny session is unregistered, the corresponding device pointer
+is set to NULL in the channel private data. If the client was not in
+the on-hook state at the time the connection was closed, the device
+pointer can later be dereferenced if a message or channel event attempts
+to use a line's pointer to said device.
+
+The patches prevent this from occurring by checking the line's pointer
+in message handlers and channel callbacks that can fire after an
+unregistration attempt.
+
+See also: http://downloads.asterisk.org/pub/security/AST-2012-008.html
+
+Adapted from patch to Asterisk 1.8 with minor changes.
+
+---
+ channels/chan_skinny.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c
+index 3abcbe3..4dbae9b 100644
+--- a/channels/chan_skinny.c
++++ b/channels/chan_skinny.c
+@@ -3633,6 +3633,11 @@ static void *skinny_ss(void *data)
+ int res = 0;
+ int loop_pause = 100;
+
++ if (!d) {
++ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
++ return NULL;
++ }
++
+ ast_verb(3, "Starting simple switch on '%s@%s'\n", l->name, d->name);
+
+ len = strlen(d->exten);
+@@ -3734,7 +3739,7 @@ static int skinny_call(struct ast_channel *ast, char *dest, int timeout)
+ struct skinny_line *l = sub->parent;
+ struct skinny_device *d = l->device;
+
+- if (!d->registered) {
++ if (!d || !d->registered) {
+ ast_log(LOG_ERROR, "Device not registered, cannot call %s\n", dest);
+ return -1;
+ }
+@@ -3799,6 +3804,11 @@ static int skinny_hangup(struct ast_channel *ast)
+ d = l->device;
+ s = d->session;
+
++ if (!d) {
++ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
++ return 0;
++ }
++
+ if (skinnydebug)
+ ast_verb(3,"Hanging up %s/%d\n",d->name,sub->callid);
+
+@@ -4177,7 +4187,13 @@ static int skinny_indicate(struct ast_channel *ast, int ind, const void *data, s
+ struct skinny_subchannel *sub = ast->tech_pvt;
+ struct skinny_line *l = sub->parent;
+ struct skinny_device *d = l->device;
+- struct skinnysession *s = d->session;
++ struct skinnysession *s;
++
++ if (!d) {
++ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
++ return -1;
++ }
++ s = d->session;
+
+ if (!s) {
+ ast_log(LOG_NOTICE, "Asked to indicate '%s' condition on channel %s, but session does not exist.\n", control2str(ind), ast->name);
+@@ -4389,8 +4405,13 @@ static int skinny_hold(struct skinny_subchannel *sub)
+ struct skinny_device *d = l->device;
+
+ /* Don't try to hold a channel that doesn't exist */
+- if (!sub || !sub->owner)
++ if (!sub || !sub->owner) {
++ return 0;
++ }
++ if (!d) {
++ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+ return 0;
++ }
+
+ /* Channel needs to be put on hold */
+ if (skinnydebug)
+@@ -4416,8 +4437,13 @@ static int skinny_unhold(struct skinny_subchannel *sub)
+ struct skinny_device *d = l->device;
+
+ /* Don't try to unhold a channel that doesn't exist */
+- if (!sub || !sub->owner)
++ if (!sub || !sub->owner) {
++ return 0;
++ }
++ if (!d) {
++ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
+ return 0;
++ }
+
+ /* Channel is on hold, so we will unhold */
+ if (skinnydebug)
+@@ -4471,6 +4497,11 @@ static int handle_transfer_button(struct skinny_subchannel *sub)
+ l = sub->parent;
+ d = l->device;
+
++ if (!d) {
++ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
++ return -1;
++ }
++
+ if (!sub->related) {
+ /* Another sub has not been created so this must be first XFER press */
+ if (!sub->onhold) {
+@@ -4603,6 +4634,11 @@ static int handle_callforward_button(struct skinny_subchannel *sub, int cfwdtype
+ struct ast_channel *c = sub->owner;
+ pthread_t t;
+
++ if (!d) {
++ ast_log(LOG_WARNING, "Device for line %s is not registered.\n", l->name);
++ return 0;
++ }
++
+ if (l->hookstate == SKINNY_ONHOOK) {
+ l->hookstate = SKINNY_OFFHOOK;
+ transmit_speaker_mode(d, SKINNY_SPEAKERON);
+--
+1.7.10
+
Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9739&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Wed May 30 13:53:15 2012
@@ -51,3 +51,5 @@
AST-2012-004
AST-2012-005
AST-2012-007
+skinny_fix_16040
+AST-2012-008
Added: asterisk/branches/squeeze/debian/patches/skinny_fix_16040
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/skinny_fix_16040?rev=9739&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/skinny_fix_16040 (added)
+++ asterisk/branches/squeeze/debian/patches/skinny_fix_16040 Wed May 30 13:53:15 2012
@@ -1,0 +1,43 @@
+From a90226f47e30f8805801fd21a5c80446ad65d6d4 Mon Sep 17 00:00:00 2001
+From: Michiel van Baak <michiel at vanbaak.info>
+Date: Fri, 4 Dec 2009 16:18:57 +0000
+Bug: https://issues.asterisk.org/view.php?id=16040
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=233059
+Subject: [PATCH] Only assign line and device in handle_transfer_button when
+ we have a subchannel.
+
+Simple and minor bug fix required for applying AST-2012-008 .
+
+---
+ channels/chan_skinny.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c
+index 7a6337d..3abcbe3 100644
+--- a/channels/chan_skinny.c
++++ b/channels/chan_skinny.c
+@@ -4457,8 +4457,8 @@ static int handle_hold_button(struct skinny_subchannel *sub)
+
+ static int handle_transfer_button(struct skinny_subchannel *sub)
+ {
+- struct skinny_line *l = sub->parent;
+- struct skinny_device *d = l->device;
++ struct skinny_line *l;
++ struct skinny_device *d;
+ struct skinny_subchannel *newsub;
+ struct ast_channel *c;
+ pthread_t t;
+@@ -4467,6 +4467,10 @@ static int handle_transfer_button(struct skinny_subchannel *sub)
+ ast_verbose("Transfer: No subchannel to transfer\n");
+ return -1;
+ }
++
++ l = sub->parent;
++ d = l->device;
++
+ if (!sub->related) {
+ /* Another sub has not been created so this must be first XFER press */
+ if (!sub->onhold) {
+--
+1.7.10
+
More information about the Pkg-voip-commits
mailing list