res_ari_events: Fix use after free / double-free of JSON message.
authorCorey Farrell <git@cfware.com>
Mon, 6 Nov 2017 23:11:08 +0000 (18:11 -0500)
committerCorey Farrell <git@cfware.com>
Mon, 6 Nov 2017 23:11:08 +0000 (18:11 -0500)
When stasis_app_message_handler needs to queue a message for a later
connection it needs to bump the message reference so it doesn't get
freed when the caller releases it's reference.

Change-Id: I82696df8fe723b3365c15c3f7089501da8daa892

res/ari/resource_events.c

index 4be5d02..992c562 100644 (file)
@@ -108,7 +108,9 @@ static void stasis_app_message_handler(
                        msg_application);
        } else if (!session->ws_session) {
                /* If the websocket is NULL, the message goes to the queue */
                        msg_application);
        } else if (!session->ws_session) {
                /* If the websocket is NULL, the message goes to the queue */
-               AST_VECTOR_APPEND(&session->message_queue, message);
+               if (!AST_VECTOR_APPEND(&session->message_queue, message)) {
+                       ast_json_ref(message);
+               }
                ast_log(LOG_WARNING,
                                "Queued '%s' message for Stasis app '%s'; websocket is not ready\n",
                                msg_type,
                ast_log(LOG_WARNING,
                                "Queued '%s' message for Stasis app '%s'; websocket is not ready\n",
                                msg_type,