[asterisk-bugs] [Asterisk 0017363]: Redirecting ; 1 side of local channel during optimisation causes double free of ; 1 side and crash

Asterisk Bug Tracker noreply at bugs.digium.com
Wed May 19 11:17:44 CDT 2010 

The following issue has been SUBMITTED. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17363 
====================================================================== 
Reported By:                davidw
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17363
Category:                   Core/General
Reproducibility:            sometimes
Severity:                   crash
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.2 
SVN Revision (number only!): 264112 
Request Review:              
====================================================================== 
Date Submitted:             2010-05-19 11:17 CDT
Last Modified:              2010-05-19 11:17 CDT
====================================================================== 
Summary:                    Redirecting ;1 side of local channel during
optimisation causes double free of ;1 side and crash
Description: 
If the ;1 side of a local channel is redirected between the
ast_channel_masquerade call and the ast_do_masquerade call resulting from
the channel being answered and optimised, the ;1 side gets double freed
and, without MALLOC_DEBUG, free() calls abort(), crashing Asterisk.

Scenario.  With MALLOC_DEBUG enabled, use ChannelRedirect on the ;q side
of a local channel marginally after the ;2 side has been answered.

Expect. Redirect fails gracefully and optimisation completes.

Actual.  Sometimes the original ;1 side channel structure is freed twice. 
(With MALLOC_DEBUG not enabled, but using 1.6.1.0, free() calls abort() and
crashes Asterisk.)

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-05-19 11:17 davidw         New Issue                                    
2010-05-19 11:17 davidw         Asterisk Version          => SVN             
2010-05-19 11:17 davidw         Regression                => No              
2010-05-19 11:17 davidw         SVN Branch (only for SVN checkouts, not tarball
releases) => 1.6.2           
2010-05-19 11:17 davidw         SVN Revision (number only!) => 264112          
======================================================================

More information about the asterisk-bugs mailing list