Commit 6bff9e68 authored by Natanael Copa's avatar Natanael Copa

main/iaxmodem: use upstream fix for use-after-free

https://sourceforge.net/p/iaxmodem/code/46/
parent 838d42ab
......@@ -3,7 +3,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=iaxmodem
pkgver=1.3.2
pkgrel=1
pkgrel=2
pkgdesc="Softmodem for hylafax that connects to VOIP gateway with IAX"
url="http://iaxmodem.sourceforge.net/"
arch="all"
......@@ -72,10 +72,12 @@ package() {
}
sha512sums="ec53be179c5651825dc4e0883d8bdd33662e477b964e3130c94ca46c6d9b628a1087d33f87bebe005e306b52d75cd00407958403d9d175944fba0f5d69d34269 iaxmodem-1.3.2.tar.gz
sha512sums="
ec53be179c5651825dc4e0883d8bdd33662e477b964e3130c94ca46c6d9b628a1087d33f87bebe005e306b52d75cd00407958403d9d175944fba0f5d69d34269 iaxmodem-1.3.2.tar.gz
999ba9d554ffa8ecb00b4e18b2e25d0c077a64560985ffc035fe89dedf7ff9686c347aba16a0bc05ad9a4d11e17b9ddad3b99772b2b61e1fcaea00c63bcbb897 iaxmodem-fix.patch
9ed5fecaaa86fb0808ea088a7ee6f0b07442f1120d7139b85227322fbfc8afa4622565dc88f36a3d3961ebf080d76336ecebef3fc6a486e62c8f6bc2aac60b6b fix-use-after-free.patch
5efbb8d430e2d216732d28a91f5b8acef554ce7ef14cb9d8c14f56292b704f35946faa3c24c3c655c0669bdd8a0279985d4f37dc7dfad05ae53c0d902d8941ef fix-use-after-free.patch
ec32c1c81a460033d1b419292f408974409d08cfc754af92ca5af303cc848fc5dc3a019028c6724346e96ab5d600519862fd9a2c3f01ae6cf7139ff377de4b80 config.guess
fb999aada492f963fdf86184629a7351e5ff3adac6f4707a2d150ae18cea02478b4ebcb1d2d0bd11698ed74415d2a73bc07d8c0d96a5035bd567d2738fa73128 config.sub
c5b01eecd8048a99777c0265bc31cd8dcafa7ab2b30798500ec52e759f4ad97ffc13e8e72ad3018e9cd77b2acefdbbe7125b0b0d7f7cefd4ab6d764c690c89a1 iaxmodem.confd
5e62ae6ea099db21e5f3ce319a28b3e6a9da1a2283fd29404126b486209119cfcf32628e9d3f3323522db30dbf052378f654f9498cd1ae75a447d44005b1f587 iaxmodem.initd"
5e62ae6ea099db21e5f3ce319a28b3e6a9da1a2283fd29404126b486209119cfcf32628e9d3f3323522db30dbf052378f654f9498cd1ae75a447d44005b1f587 iaxmodem.initd
"
make sure that we set the session to NULL when free'ing it
https://sourceforge.net/p/iaxmodem/code/46/
https://sourceforge.net/p/iaxmodem/discussion/497500/thread/b2469a0d1a/
diff --git a/iaxmodem.c b/iaxmodem.c
index e1ab731..3c80c29 100644
--- a/iaxmodem.c
+++ b/iaxmodem.c
@@ -213,8 +213,8 @@ cleanup(int sig)
iax_unregister(session[1], server, regpeer, regsecret, "Exiting");
while (!(iaxevent = iax_get_event(1)));
iax_event_free(iaxevent);
- iax_destroy(session[1]);
- iax_destroy(session[0]);
+ iax_session_destroy(&session[1]);
+ iax_session_destroy(&session[0]);
}
Index: iaxmodem.c
===================================================================
--- ./iaxmodem.c (revision 45)
+++ ./iaxmodem.c (working copy)
@@ -543,7 +543,7 @@
printlog(LOG_INFO, "Answering\n");
/* Escalate privileges */
@@ -603,7 +603,7 @@ t31_call_control_handler(t31_state_t *s, void *user_data, int op, const char *nu
sleep(1); // apparently necessary or the answer can be ignored
}
iax_hangup(session[0], "Normal disconnect");
- iax_destroy(session[0]);
+ iax_session_destroy(&session[0]);
phonestate = PHONE_FREED;
if (gothup) sighandler(SIGHUP);
}
@@ -1202,7 +1202,7 @@ iaxmodem(const char *config, int nondaemon)
* one. In any case, omitting it seems harmless, as iax_destroy seems
* to do the necessary job.
*/
- iax_destroy(session[0]);
+ iax_session_destroy(&session[0]);
phonestate = PHONE_FREED;
modemstate = MODEM_ONHOOK;
if (gothup) sighandler(SIGHUP);
@@ -1224,13 +1224,13 @@ iaxmodem(const char *config, int nondaemon)
printlog(LOG_INFO, "Registration completed successfully.\n");
if (iaxevent->ies.refresh > 0) refresh = iaxevent->ies.refresh;
regstate = REGISTERED;
- iax_destroy(session[1]);
+ iax_session_destroy(&session[1]);
break;
case IAX_EVENT_REGREJ:
printlog(LOG_ERROR, "Registration failed.\n");
/* To prevent fast looping with registration-attempts, we leave regstate PENDING. */
//regstate = UNREGISTERED;
- iax_destroy(session[1]);
+ iax_session_destroy(&session[1]);
break;
case IAX_EVENT_TIMEOUT:
if (regstate == PENDING) {
/* Unset V.24 Circuit 125, "ring indicator". */
- int tioflags;
+ int tioflags = 0;
ioctl(aslave, TIOCMGET, &tioflags);
tioflags &= ~TIOCM_RI;
ioctl(aslave, TIOCMSET, &tioflags);
@@ -762,7 +762,7 @@
int16_t iaxbuf[VOIP_PACKET_SIZE];
static t31_state_t t31_state;
int t31buflen;
- int tioflags;
+ int tioflags = 0;
struct group *grent;
char *devgroup;
char *pmode;
Index: lib/libiax2/src/iax.c
===================================================================
--- ./lib/libiax2/src/iax.c (revision 45)
+++ ./lib/libiax2/src/iax.c (working copy)
@@ -3283,20 +3283,7 @@
/* It's been acked. No need to send it. Destroy the old
frame. If final, destroy the session. */
if (frame->final)
- /* sskacar: Quick deallocation and allocation of sessions may result in
- the same-address-use ! Therefore we cannot trust remote-sent address only
- Best bet is checking by somewhat unique properties to decide
- if we really intend to destroy this session.
- Example Case:
- - Have a call
- - Dump that call and immediately request a new call (or have a incoming call request by a lesser chance)
- - By considerable probability, you might get the previous address for the session.
- - When execution hits to this point as a result of previous call ending
- (as client informs server about dumping and frees the previous session,
- server proccess call-dumping and eventually this point reached)
- - frame->session param to the destroy_session() belongs to the new & valid session ! */
- if (frame->session && (frame->callno == frame->session->callno))
- destroy_session(frame->session);
+ destroy_session(frame->session);
if (frame->data)
free(frame->data);
free(frame);
Index: lib/spandsp/src/at_interpreter.c
===================================================================
--- ./lib/spandsp/src/at_interpreter.c (revision 45)
+++ ./lib/spandsp/src/at_interpreter.c (working copy)
@@ -44,6 +44,7 @@
#include <string.h>
#include <ctype.h>
#include <assert.h>
+#include <syslog.h>
#include "spandsp/telephony.h"
#include "spandsp/logging.h"
@@ -672,43 +673,6 @@
}
/*- End of function --------------------------------------------------------*/
-static int parse_string_out(at_state_t *s, const char **t, char **target, const char *prefix)
-{
- char buf[100];
-
- switch (*(*t)++)
- {
- case '=':
- switch (**t)
- {
- case '?':
- /* Show possible values */
- (*t)++;
- snprintf(buf, sizeof(buf), "%s", (prefix) ? prefix : "");
- at_put_response(s, buf);
- break;
- default:
- /* Set value */
- if (*target)
- free(*target);
- /* If this strdup fails, it should be harmless */
- *target = strdup(*t);
- break;
- }
- break;
- case '?':
- /* Show current index value */
- at_put_response(s, (*target) ? *target : "");
- break;
- default:
- return FALSE;
- }
- while (*t)
- t++;
- return TRUE;
-}
-/*- End of function --------------------------------------------------------*/
-
static const char *s_reg_handler(at_state_t *s, const char *t, int reg)
{
int val;
@@ -4965,10 +4929,31 @@
{
/* Extension of V.253 +VCID, Set calling number ID */
t += 5;
- if (!parse_string_out(s, &t, &s->local_id, NULL))
+ switch (*t)
+ {
+ case '=':
+ switch (*(t+1))
+ {
+ case '?':
+ /* Show possible values */
+ at_put_response(s, "");
+ break;
+ default:
+ /* Set value */
+ s->local_id = strdup(t + 1);
+ if (at_modem_control(s, AT_MODEM_CONTROL_SETID, s->local_id) < 0)
+ return NULL;
+ break;
+ }
+ break;
+ case '?':
+ /* Show current index value from def */
+ at_put_response(s, (s->local_id) ? s->local_id : "");
+ break;
+ default:
return NULL;
- if (at_modem_control(s, AT_MODEM_CONTROL_SETID, s->local_id) < 0)
- return NULL;
+ }
+ while (*t) t++;
return t;
}
/*- End of function --------------------------------------------------------*/
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment