aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2021-05-04 09:04:35 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2021-05-04 09:06:52 +0200
commit6bff9e68ca822c5ef1f955f1dd5dc09ba7db93a3 (patch)
tree2420e38e595f70b0af53316a4f86168be78986fd
parent838d42abedfae04ce1f444700016506f8a57dcc5 (diff)
downloadaports-6bff9e68ca822c5ef1f955f1dd5dc09ba7db93a3.tar.gz
aports-6bff9e68ca822c5ef1f955f1dd5dc09ba7db93a3.tar.bz2
aports-6bff9e68ca822c5ef1f955f1dd5dc09ba7db93a3.tar.xz
main/iaxmodem: use upstream fix for use-after-free
https://sourceforge.net/p/iaxmodem/code/46/
-rw-r--r--main/iaxmodem/APKBUILD10
-rw-r--r--main/iaxmodem/fix-use-after-free.patch189
2 files changed, 146 insertions, 53 deletions
diff --git a/main/iaxmodem/APKBUILD b/main/iaxmodem/APKBUILD
index 7f31b3f17d..e9b162b2e1 100644
--- a/main/iaxmodem/APKBUILD
+++ b/main/iaxmodem/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=iaxmodem
pkgver=1.3.2
-pkgrel=1
+pkgrel=2
pkgdesc="Softmodem for hylafax that connects to VOIP gateway with IAX"
url="http://iaxmodem.sourceforge.net/"
arch="all"
@@ -72,10 +72,12 @@ package() {
}
-sha512sums="ec53be179c5651825dc4e0883d8bdd33662e477b964e3130c94ca46c6d9b628a1087d33f87bebe005e306b52d75cd00407958403d9d175944fba0f5d69d34269 iaxmodem-1.3.2.tar.gz
+sha512sums="
+ec53be179c5651825dc4e0883d8bdd33662e477b964e3130c94ca46c6d9b628a1087d33f87bebe005e306b52d75cd00407958403d9d175944fba0f5d69d34269 iaxmodem-1.3.2.tar.gz
999ba9d554ffa8ecb00b4e18b2e25d0c077a64560985ffc035fe89dedf7ff9686c347aba16a0bc05ad9a4d11e17b9ddad3b99772b2b61e1fcaea00c63bcbb897 iaxmodem-fix.patch
-9ed5fecaaa86fb0808ea088a7ee6f0b07442f1120d7139b85227322fbfc8afa4622565dc88f36a3d3961ebf080d76336ecebef3fc6a486e62c8f6bc2aac60b6b fix-use-after-free.patch
+5efbb8d430e2d216732d28a91f5b8acef554ce7ef14cb9d8c14f56292b704f35946faa3c24c3c655c0669bdd8a0279985d4f37dc7dfad05ae53c0d902d8941ef fix-use-after-free.patch
ec32c1c81a460033d1b419292f408974409d08cfc754af92ca5af303cc848fc5dc3a019028c6724346e96ab5d600519862fd9a2c3f01ae6cf7139ff377de4b80 config.guess
fb999aada492f963fdf86184629a7351e5ff3adac6f4707a2d150ae18cea02478b4ebcb1d2d0bd11698ed74415d2a73bc07d8c0d96a5035bd567d2738fa73128 config.sub
c5b01eecd8048a99777c0265bc31cd8dcafa7ab2b30798500ec52e759f4ad97ffc13e8e72ad3018e9cd77b2acefdbbe7125b0b0d7f7cefd4ab6d764c690c89a1 iaxmodem.confd
-5e62ae6ea099db21e5f3ce319a28b3e6a9da1a2283fd29404126b486209119cfcf32628e9d3f3323522db30dbf052378f654f9498cd1ae75a447d44005b1f587 iaxmodem.initd"
+5e62ae6ea099db21e5f3ce319a28b3e6a9da1a2283fd29404126b486209119cfcf32628e9d3f3323522db30dbf052378f654f9498cd1ae75a447d44005b1f587 iaxmodem.initd
+"
diff --git a/main/iaxmodem/fix-use-after-free.patch b/main/iaxmodem/fix-use-after-free.patch
index df1b0b2ce7..e874e7af57 100644
--- a/main/iaxmodem/fix-use-after-free.patch
+++ b/main/iaxmodem/fix-use-after-free.patch
@@ -1,51 +1,142 @@
-make sure that we set the session to NULL when free'ing it
+https://sourceforge.net/p/iaxmodem/code/46/
+https://sourceforge.net/p/iaxmodem/discussion/497500/thread/b2469a0d1a/
-diff --git a/iaxmodem.c b/iaxmodem.c
-index e1ab731..3c80c29 100644
---- a/iaxmodem.c
-+++ b/iaxmodem.c
-@@ -213,8 +213,8 @@ cleanup(int sig)
- iax_unregister(session[1], server, regpeer, regsecret, "Exiting");
- while (!(iaxevent = iax_get_event(1)));
- iax_event_free(iaxevent);
-- iax_destroy(session[1]);
-- iax_destroy(session[0]);
-+ iax_session_destroy(&session[1]);
-+ iax_session_destroy(&session[0]);
- }
+Index: iaxmodem.c
+===================================================================
+--- ./iaxmodem.c (revision 45)
++++ ./iaxmodem.c (working copy)
+@@ -543,7 +543,7 @@
+ printlog(LOG_INFO, "Answering\n");
- /* Escalate privileges */
-@@ -603,7 +603,7 @@ t31_call_control_handler(t31_state_t *s, void *user_data, int op, const char *nu
- sleep(1); // apparently necessary or the answer can be ignored
- }
- iax_hangup(session[0], "Normal disconnect");
-- iax_destroy(session[0]);
-+ iax_session_destroy(&session[0]);
- phonestate = PHONE_FREED;
- if (gothup) sighandler(SIGHUP);
- }
-@@ -1202,7 +1202,7 @@ iaxmodem(const char *config, int nondaemon)
- * one. In any case, omitting it seems harmless, as iax_destroy seems
- * to do the necessary job.
- */
-- iax_destroy(session[0]);
-+ iax_session_destroy(&session[0]);
- phonestate = PHONE_FREED;
- modemstate = MODEM_ONHOOK;
- if (gothup) sighandler(SIGHUP);
-@@ -1224,13 +1224,13 @@ iaxmodem(const char *config, int nondaemon)
- printlog(LOG_INFO, "Registration completed successfully.\n");
- if (iaxevent->ies.refresh > 0) refresh = iaxevent->ies.refresh;
- regstate = REGISTERED;
-- iax_destroy(session[1]);
-+ iax_session_destroy(&session[1]);
- break;
- case IAX_EVENT_REGREJ:
- printlog(LOG_ERROR, "Registration failed.\n");
- /* To prevent fast looping with registration-attempts, we leave regstate PENDING. */
- //regstate = UNREGISTERED;
-- iax_destroy(session[1]);
-+ iax_session_destroy(&session[1]);
- break;
- case IAX_EVENT_TIMEOUT:
- if (regstate == PENDING) {
+ /* Unset V.24 Circuit 125, "ring indicator". */
+- int tioflags;
++ int tioflags = 0;
+ ioctl(aslave, TIOCMGET, &tioflags);
+ tioflags &= ~TIOCM_RI;
+ ioctl(aslave, TIOCMSET, &tioflags);
+@@ -762,7 +762,7 @@
+ int16_t iaxbuf[VOIP_PACKET_SIZE];
+ static t31_state_t t31_state;
+ int t31buflen;
+- int tioflags;
++ int tioflags = 0;
+ struct group *grent;
+ char *devgroup;
+ char *pmode;
+Index: lib/libiax2/src/iax.c
+===================================================================
+--- ./lib/libiax2/src/iax.c (revision 45)
++++ ./lib/libiax2/src/iax.c (working copy)
+@@ -3283,20 +3283,7 @@
+ /* It's been acked. No need to send it. Destroy the old
+ frame. If final, destroy the session. */
+ if (frame->final)
+- /* sskacar: Quick deallocation and allocation of sessions may result in
+- the same-address-use ! Therefore we cannot trust remote-sent address only
+- Best bet is checking by somewhat unique properties to decide
+- if we really intend to destroy this session.
+- Example Case:
+- - Have a call
+- - Dump that call and immediately request a new call (or have a incoming call request by a lesser chance)
+- - By considerable probability, you might get the previous address for the session.
+- - When execution hits to this point as a result of previous call ending
+- (as client informs server about dumping and frees the previous session,
+- server proccess call-dumping and eventually this point reached)
+- - frame->session param to the destroy_session() belongs to the new & valid session ! */
+- if (frame->session && (frame->callno == frame->session->callno))
+- destroy_session(frame->session);
++ destroy_session(frame->session);
+ if (frame->data)
+ free(frame->data);
+ free(frame);
+Index: lib/spandsp/src/at_interpreter.c
+===================================================================
+--- ./lib/spandsp/src/at_interpreter.c (revision 45)
++++ ./lib/spandsp/src/at_interpreter.c (working copy)
+@@ -44,6 +44,7 @@
+ #include <string.h>
+ #include <ctype.h>
+ #include <assert.h>
++#include <syslog.h>
+
+ #include "spandsp/telephony.h"
+ #include "spandsp/logging.h"
+@@ -672,43 +673,6 @@
+ }
+ /*- End of function --------------------------------------------------------*/
+
+-static int parse_string_out(at_state_t *s, const char **t, char **target, const char *prefix)
+-{
+- char buf[100];
+-
+- switch (*(*t)++)
+- {
+- case '=':
+- switch (**t)
+- {
+- case '?':
+- /* Show possible values */
+- (*t)++;
+- snprintf(buf, sizeof(buf), "%s", (prefix) ? prefix : "");
+- at_put_response(s, buf);
+- break;
+- default:
+- /* Set value */
+- if (*target)
+- free(*target);
+- /* If this strdup fails, it should be harmless */
+- *target = strdup(*t);
+- break;
+- }
+- break;
+- case '?':
+- /* Show current index value */
+- at_put_response(s, (*target) ? *target : "");
+- break;
+- default:
+- return FALSE;
+- }
+- while (*t)
+- t++;
+- return TRUE;
+-}
+-/*- End of function --------------------------------------------------------*/
+-
+ static const char *s_reg_handler(at_state_t *s, const char *t, int reg)
+ {
+ int val;
+@@ -4965,10 +4929,31 @@
+ {
+ /* Extension of V.253 +VCID, Set calling number ID */
+ t += 5;
+- if (!parse_string_out(s, &t, &s->local_id, NULL))
++ switch (*t)
++ {
++ case '=':
++ switch (*(t+1))
++ {
++ case '?':
++ /* Show possible values */
++ at_put_response(s, "");
++ break;
++ default:
++ /* Set value */
++ s->local_id = strdup(t + 1);
++ if (at_modem_control(s, AT_MODEM_CONTROL_SETID, s->local_id) < 0)
++ return NULL;
++ break;
++ }
++ break;
++ case '?':
++ /* Show current index value from def */
++ at_put_response(s, (s->local_id) ? s->local_id : "");
++ break;
++ default:
+ return NULL;
+- if (at_modem_control(s, AT_MODEM_CONTROL_SETID, s->local_id) < 0)
+- return NULL;
++ }
++ while (*t) t++;
+ return t;
+ }
+ /*- End of function --------------------------------------------------------*/