diff options
-rw-r--r-- | main/iaxmodem/APKBUILD | 10 | ||||
-rw-r--r-- | main/iaxmodem/fix-use-after-free.patch | 189 |
2 files changed, 146 insertions, 53 deletions
diff --git a/main/iaxmodem/APKBUILD b/main/iaxmodem/APKBUILD index 7f31b3f17d7..e9b162b2e13 100644 --- a/main/iaxmodem/APKBUILD +++ b/main/iaxmodem/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Cameron Banta <cbanta@gmail.com> pkgname=iaxmodem pkgver=1.3.2 -pkgrel=1 +pkgrel=2 pkgdesc="Softmodem for hylafax that connects to VOIP gateway with IAX" url="http://iaxmodem.sourceforge.net/" arch="all" @@ -72,10 +72,12 @@ package() { } -sha512sums="ec53be179c5651825dc4e0883d8bdd33662e477b964e3130c94ca46c6d9b628a1087d33f87bebe005e306b52d75cd00407958403d9d175944fba0f5d69d34269 iaxmodem-1.3.2.tar.gz +sha512sums=" +ec53be179c5651825dc4e0883d8bdd33662e477b964e3130c94ca46c6d9b628a1087d33f87bebe005e306b52d75cd00407958403d9d175944fba0f5d69d34269 iaxmodem-1.3.2.tar.gz 999ba9d554ffa8ecb00b4e18b2e25d0c077a64560985ffc035fe89dedf7ff9686c347aba16a0bc05ad9a4d11e17b9ddad3b99772b2b61e1fcaea00c63bcbb897 iaxmodem-fix.patch -9ed5fecaaa86fb0808ea088a7ee6f0b07442f1120d7139b85227322fbfc8afa4622565dc88f36a3d3961ebf080d76336ecebef3fc6a486e62c8f6bc2aac60b6b fix-use-after-free.patch +5efbb8d430e2d216732d28a91f5b8acef554ce7ef14cb9d8c14f56292b704f35946faa3c24c3c655c0669bdd8a0279985d4f37dc7dfad05ae53c0d902d8941ef fix-use-after-free.patch ec32c1c81a460033d1b419292f408974409d08cfc754af92ca5af303cc848fc5dc3a019028c6724346e96ab5d600519862fd9a2c3f01ae6cf7139ff377de4b80 config.guess fb999aada492f963fdf86184629a7351e5ff3adac6f4707a2d150ae18cea02478b4ebcb1d2d0bd11698ed74415d2a73bc07d8c0d96a5035bd567d2738fa73128 config.sub c5b01eecd8048a99777c0265bc31cd8dcafa7ab2b30798500ec52e759f4ad97ffc13e8e72ad3018e9cd77b2acefdbbe7125b0b0d7f7cefd4ab6d764c690c89a1 iaxmodem.confd -5e62ae6ea099db21e5f3ce319a28b3e6a9da1a2283fd29404126b486209119cfcf32628e9d3f3323522db30dbf052378f654f9498cd1ae75a447d44005b1f587 iaxmodem.initd" +5e62ae6ea099db21e5f3ce319a28b3e6a9da1a2283fd29404126b486209119cfcf32628e9d3f3323522db30dbf052378f654f9498cd1ae75a447d44005b1f587 iaxmodem.initd +" diff --git a/main/iaxmodem/fix-use-after-free.patch b/main/iaxmodem/fix-use-after-free.patch index df1b0b2ce75..e874e7af578 100644 --- a/main/iaxmodem/fix-use-after-free.patch +++ b/main/iaxmodem/fix-use-after-free.patch @@ -1,51 +1,142 @@ -make sure that we set the session to NULL when free'ing it +https://sourceforge.net/p/iaxmodem/code/46/ +https://sourceforge.net/p/iaxmodem/discussion/497500/thread/b2469a0d1a/ -diff --git a/iaxmodem.c b/iaxmodem.c -index e1ab731..3c80c29 100644 ---- a/iaxmodem.c -+++ b/iaxmodem.c -@@ -213,8 +213,8 @@ cleanup(int sig) - iax_unregister(session[1], server, regpeer, regsecret, "Exiting"); - while (!(iaxevent = iax_get_event(1))); - iax_event_free(iaxevent); -- iax_destroy(session[1]); -- iax_destroy(session[0]); -+ iax_session_destroy(&session[1]); -+ iax_session_destroy(&session[0]); - } +Index: iaxmodem.c +=================================================================== +--- ./iaxmodem.c (revision 45) ++++ ./iaxmodem.c (working copy) +@@ -543,7 +543,7 @@ + printlog(LOG_INFO, "Answering\n"); - /* Escalate privileges */ -@@ -603,7 +603,7 @@ t31_call_control_handler(t31_state_t *s, void *user_data, int op, const char *nu - sleep(1); // apparently necessary or the answer can be ignored - } - iax_hangup(session[0], "Normal disconnect"); -- iax_destroy(session[0]); -+ iax_session_destroy(&session[0]); - phonestate = PHONE_FREED; - if (gothup) sighandler(SIGHUP); - } -@@ -1202,7 +1202,7 @@ iaxmodem(const char *config, int nondaemon) - * one. In any case, omitting it seems harmless, as iax_destroy seems - * to do the necessary job. - */ -- iax_destroy(session[0]); -+ iax_session_destroy(&session[0]); - phonestate = PHONE_FREED; - modemstate = MODEM_ONHOOK; - if (gothup) sighandler(SIGHUP); -@@ -1224,13 +1224,13 @@ iaxmodem(const char *config, int nondaemon) - printlog(LOG_INFO, "Registration completed successfully.\n"); - if (iaxevent->ies.refresh > 0) refresh = iaxevent->ies.refresh; - regstate = REGISTERED; -- iax_destroy(session[1]); -+ iax_session_destroy(&session[1]); - break; - case IAX_EVENT_REGREJ: - printlog(LOG_ERROR, "Registration failed.\n"); - /* To prevent fast looping with registration-attempts, we leave regstate PENDING. */ - //regstate = UNREGISTERED; -- iax_destroy(session[1]); -+ iax_session_destroy(&session[1]); - break; - case IAX_EVENT_TIMEOUT: - if (regstate == PENDING) { + /* Unset V.24 Circuit 125, "ring indicator". */ +- int tioflags; ++ int tioflags = 0; + ioctl(aslave, TIOCMGET, &tioflags); + tioflags &= ~TIOCM_RI; + ioctl(aslave, TIOCMSET, &tioflags); +@@ -762,7 +762,7 @@ + int16_t iaxbuf[VOIP_PACKET_SIZE]; + static t31_state_t t31_state; + int t31buflen; +- int tioflags; ++ int tioflags = 0; + struct group *grent; + char *devgroup; + char *pmode; +Index: lib/libiax2/src/iax.c +=================================================================== +--- ./lib/libiax2/src/iax.c (revision 45) ++++ ./lib/libiax2/src/iax.c (working copy) +@@ -3283,20 +3283,7 @@ + /* It's been acked. No need to send it. Destroy the old + frame. If final, destroy the session. */ + if (frame->final) +- /* sskacar: Quick deallocation and allocation of sessions may result in +- the same-address-use ! Therefore we cannot trust remote-sent address only +- Best bet is checking by somewhat unique properties to decide +- if we really intend to destroy this session. +- Example Case: +- - Have a call +- - Dump that call and immediately request a new call (or have a incoming call request by a lesser chance) +- - By considerable probability, you might get the previous address for the session. +- - When execution hits to this point as a result of previous call ending +- (as client informs server about dumping and frees the previous session, +- server proccess call-dumping and eventually this point reached) +- - frame->session param to the destroy_session() belongs to the new & valid session ! */ +- if (frame->session && (frame->callno == frame->session->callno)) +- destroy_session(frame->session); ++ destroy_session(frame->session); + if (frame->data) + free(frame->data); + free(frame); +Index: lib/spandsp/src/at_interpreter.c +=================================================================== +--- ./lib/spandsp/src/at_interpreter.c (revision 45) ++++ ./lib/spandsp/src/at_interpreter.c (working copy) +@@ -44,6 +44,7 @@ + #include <string.h> + #include <ctype.h> + #include <assert.h> ++#include <syslog.h> + + #include "spandsp/telephony.h" + #include "spandsp/logging.h" +@@ -672,43 +673,6 @@ + } + /*- End of function --------------------------------------------------------*/ + +-static int parse_string_out(at_state_t *s, const char **t, char **target, const char *prefix) +-{ +- char buf[100]; +- +- switch (*(*t)++) +- { +- case '=': +- switch (**t) +- { +- case '?': +- /* Show possible values */ +- (*t)++; +- snprintf(buf, sizeof(buf), "%s", (prefix) ? prefix : ""); +- at_put_response(s, buf); +- break; +- default: +- /* Set value */ +- if (*target) +- free(*target); +- /* If this strdup fails, it should be harmless */ +- *target = strdup(*t); +- break; +- } +- break; +- case '?': +- /* Show current index value */ +- at_put_response(s, (*target) ? *target : ""); +- break; +- default: +- return FALSE; +- } +- while (*t) +- t++; +- return TRUE; +-} +-/*- End of function --------------------------------------------------------*/ +- + static const char *s_reg_handler(at_state_t *s, const char *t, int reg) + { + int val; +@@ -4965,10 +4929,31 @@ + { + /* Extension of V.253 +VCID, Set calling number ID */ + t += 5; +- if (!parse_string_out(s, &t, &s->local_id, NULL)) ++ switch (*t) ++ { ++ case '=': ++ switch (*(t+1)) ++ { ++ case '?': ++ /* Show possible values */ ++ at_put_response(s, ""); ++ break; ++ default: ++ /* Set value */ ++ s->local_id = strdup(t + 1); ++ if (at_modem_control(s, AT_MODEM_CONTROL_SETID, s->local_id) < 0) ++ return NULL; ++ break; ++ } ++ break; ++ case '?': ++ /* Show current index value from def */ ++ at_put_response(s, (s->local_id) ? s->local_id : ""); ++ break; ++ default: + return NULL; +- if (at_modem_control(s, AT_MODEM_CONTROL_SETID, s->local_id) < 0) +- return NULL; ++ } ++ while (*t) t++; + return t; + } + /*- End of function --------------------------------------------------------*/ |