From 48e96aba6a3daa28e01fd541892617b2d0ff44e3 Mon Sep 17 00:00:00 2001
From: Corey Farrell <git@cfware.com>
Date: Mon, 6 Nov 2017 19:12:13 -0500
Subject: [PATCH] res_pjsip_history: Fix multiple leaks on vector append
 failure.

Change-Id: I41e8d5183ace284095cc721f3b1fb32ade3f940f
---
 res/res_pjsip_history.c | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/res/res_pjsip_history.c b/res/res_pjsip_history.c
index 4e7dbd0071..ed374d605b 100644
--- a/res/res_pjsip_history.c
+++ b/res/res_pjsip_history.c
@@ -705,10 +705,13 @@ static pj_status_t history_on_tx_msg(pjsip_tx_data *tdata)
 	pj_sockaddr_cp(&entry->dst, &tdata->tp_info.dst_addr);
 
 	ast_mutex_lock(&history_lock);
-	AST_VECTOR_APPEND(&vector_history, entry);
+	if (AST_VECTOR_APPEND(&vector_history, entry)) {
+		ao2_ref(entry, -1);
+		entry = NULL;
+	}
 	ast_mutex_unlock(&history_lock);
 
-	if (log_level != -1) {
+	if (log_level != -1 && entry) {
 		char line[256];
 
 		sprint_list_entry(entry, line, sizeof(line));
@@ -745,10 +748,13 @@ static pj_bool_t history_on_rx_msg(pjsip_rx_data *rdata)
 	}
 
 	ast_mutex_lock(&history_lock);
-	AST_VECTOR_APPEND(&vector_history, entry);
+	if (AST_VECTOR_APPEND(&vector_history, entry)) {
+		ao2_ref(entry, -1);
+		entry = NULL;
+	}
 	ast_mutex_unlock(&history_lock);
 
-	if (log_level != -1) {
+	if (log_level != -1 && entry) {
 		char line[256];
 
 		sprint_list_entry(entry, line, sizeof(line));
@@ -959,7 +965,9 @@ static int evaluate_history_entry(struct pjsip_history_entry *entry, struct expr
 
 		/* If this is not an operator, push it to the stack */
 		if (!it_queue->op) {
-			AST_VECTOR_APPEND(&stack, it_queue);
+			if (AST_VECTOR_APPEND(&stack, it_queue)) {
+				goto error;
+			}
 			continue;
 		}
 
@@ -1035,7 +1043,11 @@ static int evaluate_history_entry(struct pjsip_history_entry *entry, struct expr
 		if (!result) {
 			goto error;
 		}
-		AST_VECTOR_APPEND(&stack, result);
+		if (AST_VECTOR_APPEND(&stack, result)) {
+			expression_token_free(result);
+
+			goto error;
+		}
 	}
 
 	/*
@@ -1056,6 +1068,7 @@ static int evaluate_history_entry(struct pjsip_history_entry *entry, struct expr
 	}
 	result = final->result;
 	ast_free(final);
+	AST_VECTOR_FREE(&stack);
 
 	return result;
 
@@ -1098,6 +1111,7 @@ static struct vector_history_t *filter_history(struct ast_cli_args *a)
 
 	queue = build_expression_queue(a);
 	if (!queue) {
+		AST_VECTOR_PTR_FREE(output);
 		return NULL;
 	}
 
@@ -1118,7 +1132,9 @@ static struct vector_history_t *filter_history(struct ast_cli_args *a)
 		} else if (!res) {
 			continue;
 		} else {
-			AST_VECTOR_APPEND(output, ao2_bump(entry));
+			if (AST_VECTOR_APPEND(output, ao2_bump(entry))) {
+				ao2_cleanup(entry);
+			}
 		}
 	}
 	ast_mutex_unlock(&history_lock);
-- 
GitLab