[asterisk-bugs] [Asterisk 0017363]: [patch] Redirecting ; 1 side of local channel during optimisation causes double free of ; 1 side and crash

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Sep 20 17:57:49 CDT 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17363 
====================================================================== 
Reported By:                davidw
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17363
Category:                   Core/General
Reproducibility:            sometimes
Severity:                   crash
Priority:                   normal
Status:                     confirmed
Asterisk Version:           SVN 
JIRA:                       SWP-1513 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.2 
SVN Revision (number only!): 264112 
Request Review:              
====================================================================== 
Date Submitted:             2010-05-19 11:17 CDT
Last Modified:              2010-09-20 17:57 CDT
====================================================================== 
Summary:                    [patch] Redirecting ;1 side of local channel during
optimisation causes double free of ;1 side and crash
Description: 
If the ;1 side of a local channel is redirected between the
ast_channel_masquerade call and the ast_do_masquerade call resulting from
the channel being answered and optimised, the ;1 side gets double freed
and, without MALLOC_DEBUG, free() calls abort(), crashing Asterisk.

Scenario.  With MALLOC_DEBUG enabled, use ChannelRedirect on the ;q side
of a local channel marginally after the ;2 side has been answered.

Expect. Redirect fails gracefully and optimisation completes.

Actual.  Sometimes the original ;1 side channel structure is freed twice. 
(With MALLOC_DEBUG not enabled, but using 1.6.1.0, free() calls abort() and
crashes Asterisk.)

======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
related to          0016057 [patch] Asterisk crashes with "Fix...
related to          0017567 Asterisk crashes after redirect
====================================================================== 

---------------------------------------------------------------------- 
 (0127155) svnbot (reporter) - 2010-09-20 17:57
 https://issues.asterisk.org/view.php?id=17363#c127155 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 287682

U   branches/1.4/main/channel.c

------------------------------------------------------------------------
r287682 | alecdavis | 2010-09-20 17:57:49 -0500 (Mon, 20 Sep 2010) | 18
lines

ast_channel_masquerade: Avoid recursive masquerades.

Check all 4 combinations of (original/clonechan) * (masq/masqr).

Initially original->masq and clonechan->masqr were only checked.

It's possible with multiple masq's planned - and not yet executed, that
 the 'original' chan could already have another masq'd into it - thus
original->masqr
would be set, that masqr would lost.
Likewise for the clonechan->masq.

(closes issue
https://issues.asterisk.org/view.php?id=16057;https://issues.asterisk.org/view.php?id=17363)
Reported by: amorsen;davidw,alecdavis
Patches: 
      bug16057.diff4.txt uploaded by alecdavis (license 585)
Tested by: ramonpeek, davidw, alecdavis


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=287682 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-09-20 17:57 svnbot         Checkin                                      
2010-09-20 17:57 svnbot         Note Added: 0127155                          
======================================================================




More information about the asterisk-bugs mailing list