Skip to content
Snippets Groups Projects
Commit 94187aaf authored by Matthew Jordan's avatar Matthew Jordan
Browse files

AST-2012-008: Fix remote crash vulnerability in chan_skinny 

When a skinny session is unregistered, the corresponding device pointer is set
to NULL in the channel private data.  If the client was not in the on-hook state
at the time the connection was closed, the device pointer can later be
dereferened if a message or channel event attempts to use a line's pointer to
said device.

The patches prevent this from occurring by checking the line's pointer in
message handlers and channel callbacks that can fire after an unregistration
attempt.

(closes issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Damien Wedhorn
Patches:
  AST-2012-008-1.8.diff uploaded by mjordan (license 6283)
  AST-2012-008-10.diff uploaded by mjordan (licesen 6283)
........

Merged revisions 367844 from http://svn.asterisk.org/svn/asterisk/branches/10


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@367845 65c4cc65-6c06-0410-ace0-fbb531ad65f3
parent 2d418b59
Branches
Tags 0.2.21
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 27 additions and 2 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment