kenmirrors
/
freeswitch
mirror of https://github.com/signalwire/freeswitch.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[Core] Prevent write after free into heap when calling switch_core_destroy_memory_pool()

This commit is contained in:
Andrey Volk 2020-12-16 04:10:45 +04:00
parent 90db5a9032
commit a7fa9bfedc
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/switch_core_memory.c
View File

@ -465,38 +465,42 @@ SWITCH_DECLARE(switch_status_t) switch_core_perform_destroy_memory_pool(switch_m
{
char *tmp;
const char *tag;
switch_memory_pool_t *tmp_pool = NULL;
switch_assert(pool != NULL);
/* In tag we store who calls the pool creation.
Now we append it with who calls the pool destroy.
*/
if (*pool) {
tag = apr_pool_tag(*pool, NULL);
tmp = switch_core_sprintf(*pool, "%s,%s:%d", (tag ? tag : ""), file, line);
apr_pool_tag(*pool, tmp);
tmp_pool = *pool;
*pool = NULL;
tag = apr_pool_tag(tmp_pool, NULL);
tmp = switch_core_sprintf(tmp_pool, "%s,%s:%d", (tag ? tag : ""), file, line);
apr_pool_tag(tmp_pool, tmp);
}
#ifdef DEBUG_ALLOC2
switch_log_printf(SWITCH_CHANNEL_ID_LOG, file, func, line, NULL, SWITCH_LOG_CONSOLE, "%p Free Pool %s\n", (void *) *pool, apr_pool_tag(*pool, NULL));
switch_log_printf(SWITCH_CHANNEL_ID_LOG, file, func, line, NULL, SWITCH_LOG_CONSOLE, "%p Free Pool %s\n", (void *) tmp_pool, apr_pool_tag(tmp_pool, NULL));
#endif
#ifdef INSTANTLY_DESTROY_POOLS
#ifdef USE_MEM_LOCK
switch_mutex_lock(memory_manager.mem_lock);
#endif
apr_pool_destroy(*pool);
apr_pool_destroy(tmp_pool);
#ifdef USE_MEM_LOCK
switch_mutex_unlock(memory_manager.mem_lock);
#endif
#else
if ((memory_manager.pool_thread_running != 1) || (switch_queue_push(memory_manager.pool_queue, *pool) != SWITCH_STATUS_SUCCESS)) {
if ((memory_manager.pool_thread_running != 1) || (switch_queue_push(memory_manager.pool_queue, tmp_pool) != SWITCH_STATUS_SUCCESS)) {
#ifdef USE_MEM_LOCK
switch_mutex_lock(memory_manager.mem_lock);
#endif
#if APR_POOL_DEBUG
apr_pool_destroy_debug(*pool, func);
apr_pool_destroy_debug(tmp_pool, func);
#else
apr_pool_destroy(*pool);
apr_pool_destroy(tmp_pool);
#endif
#ifdef USE_MEM_LOCK
switch_mutex_unlock(memory_manager.mem_lock);
@ -504,8 +508,6 @@ SWITCH_DECLARE(switch_status_t) switch_core_perform_destroy_memory_pool(switch_m
}
#endif
*pool = NULL;
return SWITCH_STATUS_SUCCESS;
}