Found a little problem with the sip request handling that could lead to a quick crash of asterisk, and a road to a DOS attack if left unfixed.

Attaching to a running asterisk with "telnet hostname 5060", I would input "something", then hit return three times, and asterisk crashes.

I traced it to handle_request_do(), which zeroes out the data (an ast_str ptr) if the string is too short. 
Instead of freeing the struct and nulling the pointer, it now just resets it, because this 
ast_str is expected by the calling routine to still be there after handle_request_do() returns.

This appears to fix the crash. I assume that it was introduced with ast_str's being adopted.  It's a subtle and easy-to-miss sort of problem.

I also found all the places where the req.data is freed, and made sure the ptr is Nulled out as well; 
no good leaving bad ptrs laying around-- I didn't need to do this, but it seemed a good thing to do...




git-svn-id: http://svn.digium.com/svn/asterisk/trunk@112874 f38db490-d61c-443f-a65b-d21fe96a405b

0 files changed, 0 insertions, 0 deletions