Crash when receiving an unknown/unsupported message type.
Fix double free of a call record and the subsequent continued use of the freed call record when receiving an unsupported/unknown message type. (closes issue #17968) Reported by: gelo Patches: issue_17968_v1.4.patch uploaded by rmudgett (license 664) git-svn-id: https://origsvn.digium.com/svn/libpri/branches/1.4@2021 2fbb986a-6c06-0410-b554-c9c1f0a7f128
This commit is contained in:
parent
2045db6a69
commit
fb61cedfd7
42
q931.c
42
q931.c
@ -6202,7 +6202,9 @@ static int prepare_to_handle_maintenance_message(struct pri *ctrl, q931_mh *mh,
|
|||||||
c->changestatus = -1;
|
c->changestatus = -1;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
pri_error(ctrl, "!! Don't know how to pre-handle maintenance message type '%d'\n", mh->msg);
|
pri_error(ctrl,
|
||||||
|
"!! Don't know how to pre-handle maintenance message type '0x%X'\n",
|
||||||
|
mh->msg);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
@ -6356,13 +6358,13 @@ static int prepare_to_handle_q931_message(struct pri *ctrl, q931_mh *mh, q931_ca
|
|||||||
case Q931_SUSPEND:
|
case Q931_SUSPEND:
|
||||||
case Q931_SUSPEND_ACKNOWLEDGE:
|
case Q931_SUSPEND_ACKNOWLEDGE:
|
||||||
case Q931_SUSPEND_REJECT:
|
case Q931_SUSPEND_REJECT:
|
||||||
pri_error(ctrl, "!! Not yet handling pre-handle message type %s (%d)\n", msg2str(mh->msg), mh->msg);
|
pri_error(ctrl, "!! Not yet handling pre-handle message type %s (0x%X)\n",
|
||||||
|
msg2str(mh->msg), mh->msg);
|
||||||
/* Fall through */
|
/* Fall through */
|
||||||
default:
|
default:
|
||||||
pri_error(ctrl, "!! Don't know how to pre-handle message type %s (%d)\n", msg2str(mh->msg), mh->msg);
|
pri_error(ctrl, "!! Don't know how to pre-handle message type %s (0x%X)\n",
|
||||||
|
msg2str(mh->msg), mh->msg);
|
||||||
q931_status(ctrl,c, PRI_CAUSE_MESSAGE_TYPE_NONEXIST);
|
q931_status(ctrl,c, PRI_CAUSE_MESSAGE_TYPE_NONEXIST);
|
||||||
if (c->newcall)
|
|
||||||
pri_destroycall(ctrl, c);
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
@ -6567,7 +6569,18 @@ int q931_receive(struct pri *ctrl, int tei, q931_h *h, int len)
|
|||||||
/* Unknown protocol discriminator but we will treat it as Q.931 anyway. */
|
/* Unknown protocol discriminator but we will treat it as Q.931 anyway. */
|
||||||
case GR303_PROTOCOL_DISCRIMINATOR:
|
case GR303_PROTOCOL_DISCRIMINATOR:
|
||||||
case Q931_PROTOCOL_DISCRIMINATOR:
|
case Q931_PROTOCOL_DISCRIMINATOR:
|
||||||
prepare_to_handle_q931_message(ctrl, mh, c);
|
if (prepare_to_handle_q931_message(ctrl, mh, c)) {
|
||||||
|
/* Discard message. We don't know how to handle it. */
|
||||||
|
if (!c->master_call->outboundbroadcast && c->newcall) {
|
||||||
|
/*
|
||||||
|
* Destroy new non-subcalls immediately. Let the normal
|
||||||
|
* disconnect/destruction of subcalls happen when there is a
|
||||||
|
* winner.
|
||||||
|
*/
|
||||||
|
pri_destroycall(ctrl, c);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
q931_clr_subcommands(ctrl);
|
q931_clr_subcommands(ctrl);
|
||||||
@ -6756,7 +6769,8 @@ static int post_handle_maintenance_message(struct pri *ctrl, int protodisc, stru
|
|||||||
return Q931_RES_HAVEEVENT;
|
return Q931_RES_HAVEEVENT;
|
||||||
}
|
}
|
||||||
|
|
||||||
pri_error(ctrl, "!! Don't know how to post-handle maintenance message type %d\n", mh->msg);
|
pri_error(ctrl, "!! Don't know how to post-handle maintenance message type 0x%X\n",
|
||||||
|
mh->msg);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -8332,13 +8346,21 @@ static int post_handle_q931_message(struct pri *ctrl, struct q931_mh *mh, struct
|
|||||||
case Q931_SUSPEND:
|
case Q931_SUSPEND:
|
||||||
case Q931_SUSPEND_ACKNOWLEDGE:
|
case Q931_SUSPEND_ACKNOWLEDGE:
|
||||||
case Q931_SUSPEND_REJECT:
|
case Q931_SUSPEND_REJECT:
|
||||||
pri_error(ctrl, "!! Not yet handling post-handle message type %s (%d)\n", msg2str(mh->msg), mh->msg);
|
pri_error(ctrl, "!! Not yet handling post-handle message type %s (0x%X)\n",
|
||||||
|
msg2str(mh->msg), mh->msg);
|
||||||
/* Fall through */
|
/* Fall through */
|
||||||
default:
|
default:
|
||||||
pri_error(ctrl, "!! Don't know how to post-handle message type %s (%d)\n", msg2str(mh->msg), mh->msg);
|
pri_error(ctrl, "!! Don't know how to post-handle message type %s (0x%X)\n",
|
||||||
|
msg2str(mh->msg), mh->msg);
|
||||||
q931_status(ctrl,c, PRI_CAUSE_MESSAGE_TYPE_NONEXIST);
|
q931_status(ctrl,c, PRI_CAUSE_MESSAGE_TYPE_NONEXIST);
|
||||||
if (c->newcall)
|
if (!c->master_call->outboundbroadcast && c->newcall) {
|
||||||
|
/*
|
||||||
|
* Destroy new non-subcalls immediately. Let the normal
|
||||||
|
* disconnect/destruction of subcalls happen when there is a
|
||||||
|
* winner.
|
||||||
|
*/
|
||||||
pri_destroycall(ctrl, c);
|
pri_destroycall(ctrl, c);
|
||||||
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
|
Loading…
Reference in New Issue
Block a user