[asterisk-bugs] [Asterisk 0012986]: [patch] segfault in app_chanspy.cpp

Thu Jul 3 16:00:47 CDT 2008

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=12986 
====================================================================== 
Reported By:                andrew53
Assigned To:                putnopvut
====================================================================== 
Project:                    Asterisk
Issue ID:                   12986
Category:                   Applications/app_chanspy
Reproducibility:            random
Severity:                   crash
Priority:                   normal
Status:                     assigned
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 127434 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             07-03-2008 14:37 CDT
Last Modified:              07-03-2008 16:00 CDT
====================================================================== 
Summary:                    [patch] segfault in app_chanspy.cpp
Description: 
Due to some kind of race condition that I wasn't able to identify exactly
(most likely a channel disconnected while trying to attach to it for
monitoring), ast_bridged_channel(spyee) (called from channel_spy) returns
null pointer which start_spying tries to dereference without checking.
Backtrace and patch are attached.
====================================================================== 

---------------------------------------------------------------------- 
 andrew53 - 07-03-08 16:00  
---------------------------------------------------------------------- 
spyee_bridge declaration is missing

Index: apps/app_chanspy.c
===================================================================

--- apps/app_chanspy.c  (revision 127831)
+++ apps/app_chanspy.c  (working copy)
@@ -323,6 +323,7 @@
        struct ast_frame *f;
        struct ast_silence_generator *silgen = NULL;
        struct ast_channel *spyee = NULL;
+       struct ast_channel *spyee_bridge = NULL;
        const char *spyer_name;

        ast_channel_lock(chan);
@@ -364,7 +365,7 @@
        start_spying(spyee, spyer_name, &csth.whisper_audiohook); /*
Unlocks spyee */
        if ((spyee_bridge = ast_bridged_channel(spyee))) {
                ast_channel_lock(spyee_bridge);
-               start_spying(ast_bridged_channel(spyee), spyer_name,
&csth.bridge_whisper_audiohook);
+               start_spying(spyee_bridge, spyer_name,
&csth.bridge_whisper_audiohook);
                ast_channel_unlock(spyee_bridge);
        }
        ast_channel_unlock(spyee); 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-03-08 16:00  andrew53       Note Added: 0089718                          
======================================================================


