res_srtp: Fix a crash caused by srtp_dealloc on an already dealloced session
authorJonathan Rose <jrose@digium.com>
Wed, 5 Dec 2012 17:17:06 +0000 (17:17 +0000)
committerJonathan Rose <jrose@digium.com>
Wed, 5 Dec 2012 17:17:06 +0000 (17:17 +0000)
When srtp_create fails, the session may be dealloced or just not alloced. At
the same time though, the session pointer might not be set to NULL in this
process and attempting to srtp_dealloc it again will cause a segfault. This
patch checks for failure of srtp_create and sets the session pointer to NULL
if it fails.

(closes issue ASTERISK-20499)
Reported by: tootai
Review: https://reviewboard.asterisk.org/r/2228/
........

Merged revisions 377256 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 377261 from http://svn.asterisk.org/svn/asterisk/branches/10
........

Merged revisions 377262 from http://svn.asterisk.org/svn/asterisk/branches/11

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@377263 65c4cc65-6c06-0410-ace0-fbb531ad65f3

res/res_srtp.c

index f651c40..b9499f8 100644 (file)
@@ -383,6 +383,8 @@ tryagain:
                                        retry++;
                                        ao2_iterator_destroy(&it);
                                        goto tryagain;
+                               } else {
+                                       srtp->session = NULL;
                                }
                                ao2_t_ref(policy, -1, "Unreffing first policy after srtp_create failed");
                        }
@@ -437,6 +439,8 @@ static int ast_srtp_create(struct ast_srtp **srtp, struct ast_rtp_instance *rtp,
 
        /* Any failures after this point can use ast_srtp_destroy to destroy the instance */
        if (srtp_create(&temp->session, &policy->sp) != err_status_ok) {
+               /* Session either wasn't created or was created and dealloced. */
+               temp->session = NULL;
                ast_srtp_destroy(temp);
                return -1;
        }