prevent segfault if bad magic number is encountered.

internal_ao2_ref uses INTERNAL_OBJ which mzy report 'bad magic number', but
internal_ao2_ref continues on, causing segfault.

Although AO2_MAGIC number is checked by INTERNAL_OBJ before internal_ao2_ref is
called, A02_MAGIC is being destroyed (or a wrong pointer) by the time
internal_ao2_ref uses INTERNAL_OBJ.

internal_ao2_ref now returns -1 if INTERNAL_OBJ encouters a bad magic number.

(issue #17037)
Reported by: alecdavis
Patches:
      bug17037.diff.txt uploaded by alecdavis (license 585)
Tested by: alecdavis




git-svn-id: http://svn.digium.com/svn/asterisk/trunk@253490 f38db490-d61c-443f-a65b-d21fe96a405b

1 files changed, 4 insertions, 1 deletions

diff --git a/main/astobj2.c b/main/astobj2.c
index 48fae0a9d..40efd0f2a 100644
--- a/main/astobj2.c
+++ b/main/astobj2.c
@@ -262,6 +262,9 @@ static int internal_ao2_ref(void *user_data, const int delta)
 	int current_value;
 	int ret;
 
+	if (obj == NULL)
+		return -1;
+
 	/* if delta is 0, just return the refcount */
 	if (delta == 0)
 		return (obj->priv_data.ref_counter);
@@ -499,7 +502,7 @@ static struct bucket_list *internal_ao2_link(struct ao2_container *c, void *user
 	struct bucket_list *p;
 	struct astobj2 *obj = INTERNAL_OBJ(user_data);
 
-	if (!obj)
+	if (obj == NULL)
 		return NULL;
 
 	if (INTERNAL_OBJ(c) == NULL)