strtol can parse negative values which opens the hole for a NUL
injection. The (invalid) entity "&#-256;" is parsed as 0xFFFFFF00 which
(when casted to a char) becomes 0.
Avoid this attack by using unsigned long integers. To avoid undefined
behavior due to negative shifts, restrict the upper bound of the code
points to the UTF-8 limits. (Add an assertion to make the Clang static
analyzer happy.)
Note: due to the specification of strtol, leading spaces and minus/plus
signs are also allowed, explicitly check for an integer. "�x1;" is
still accepted, but that is considered a minor issue.
Partially rewrite switch_xml_set_attr to fix memory leaks, uninitialized
argument values and use-after free warnings from Clang static analyzer.
Fixes these problems:
- Add some comments and a new variable such that the code can more
easily be audited / understood.
- Always clear SWITCH_XML_DUP flag even if an error occurred to prevent
free()'ing static strings on future invocations.
- Keep the attribute list in a consistent state even if one of the
memory allocation fails.
- Keep allocation metadata in a consistent state when shrinking of the
attribute lists fails. Previously the metadata was not updated,
resulting in a wrong mapping from attributes to allocation flags.
- Fix memory leaks when allocations fail.
Previous behavior: invalid memory accesses are possible after a memory
allocation failure, previous attributes may be lost.
New behavior: attributes list is always valid, a new attribute is either
set (or not), attributes can always be removed.
added xml fetch for channels to externally support nightmare transfer
depends on channel-xml-fetch-on-nightmare-transfer profile param (default is disabled)
fixes missing entry in switch_xml.c to enable the xml binding
This commit also reverts 2 previous attempts to fix this very rare race issue spanning back to 2009
62ce853897 Patch from MOC
3a85348cdf FS-2302 mutex added around switch_xml_toxml()
The real problem was switch_xml_toxml_buf() was actually temporarily modifying the xml structure being searialized to make it appaer to be a root structure then serializing it and restoring the pointers. This caused a non-threadsafe operation when some other thread was scanning the same xml structure.
This patch removes the modification and instead passes a new arg to switch_xml_toxml_r indicating to treat the structure as if it were a root structure.
This bug has been present since the induction of xml into FS.
Unlike fread(3), read(3) will return -1 on error. We were assigning
the result of read to a potentially unsigned variable, and passing the
result down to switch_xml_parse_str() where it would end up
determining how many bytes to malloc(3).