[asterisk-bugs] [Asterisk 0010670]: crash in ast_obj2 (deletion)
noreply at bugs.digium.com
noreply at bugs.digium.com
Fri Sep 7 13:01:07 CDT 2007
The following issue has been CLOSED
======================================================================
http://bugs.digium.com/view.php?id=10670
======================================================================
Reported By: murf
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 10670
Category: Core-General
Reproducibility: always
Severity: crash
Priority: normal
Status: closed
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Disclaimer on File?: N/A
Request Review:
Resolution: open
Fixed in Version:
======================================================================
Date Submitted: 09-07-2007 12:03 CDT
Last Modified: 09-07-2007 13:01 CDT
======================================================================
Summary: crash in ast_obj2 (deletion)
Description:
What happens: in ao2_ref(),
/* for safety, zero-out the astobj2 header and also the
* first word of the user-data, which we make sure is always
* allocated. */
bzero(obj, sizeof(struct astobj2 *) + sizeof(void *) );
free(obj);
ast_atomic_fetchadd_int(&ao2.total_objects, -1);
Freeing the obj is lethal, because it is still referenced by the bucket.
More information about the asterisk-bugs
mailing list