From 7ea1aaf8e10f8b45f23dbac0abfb3138af4ae76f Mon Sep 17 00:00:00 2001 From: Mike Bradeen Date: Wed, 6 May 2026 16:33:43 -0600 Subject: [PATCH] res_stir_shaken: fix memory free crash when Asterisk is built with malloc_debug crypto_utils uses ast_asprintf to allocate the search string when checking the certificate subject, but was not using ast_free to free it. This caused a crash when Asterisk was built with malloc_debug Resolves: #1921 --- res/res_stir_shaken/crypto_utils.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/res/res_stir_shaken/crypto_utils.c b/res/res_stir_shaken/crypto_utils.c index b1671c1593..ce22bf8bc9 100644 --- a/res/res_stir_shaken/crypto_utils.c +++ b/res/res_stir_shaken/crypto_utils.c @@ -917,9 +917,15 @@ time_t crypto_asn_time_as_time_t(ASN1_TIME *at) char *crypto_get_cert_subject(X509 *cert, const char *short_name) { size_t len = 0; + /* buffer is allocated via open_memstream, which is outside of Asterisk's + memory management. It therefore must be freed via ast_std_free to + remain independent of MALLOC_DEBUG */ RAII_VAR(char *, buffer, NULL, ast_std_free); + /* search is allocated via ast_asprintf, which is within Asterisk's + memory management. It therefore must be freed via ast_free or will + cause a crash when used with MALLOC_DEBUG */ + RAII_VAR(char *, search, NULL, ast_free); char *search_buff = NULL; - char *search = NULL; size_t search_len = 0; char *rtn = NULL; char *line = NULL; @@ -971,7 +977,6 @@ char *crypto_get_cert_subject(X509 *cert, const char *short_name) } } - ast_std_free(search); return rtn; }