[asterisk-bugs] [Asterisk 0017919]: [patch] schedule_delivery calls ast_bridged_channel() on an unlocked channel
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Sep 21 19:06:22 CDT 2010
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=17919
======================================================================
Reported By: rain
Assigned To: rmudgett
======================================================================
Project: Asterisk
Issue ID: 17919
Category: Channels/chan_iax2
Reproducibility: random
Severity: crash
Priority: normal
Status: closed
Target Version: 1.6.2.15
Asterisk Version: Older 1.6.2 - please test a newer version
JIRA: SWP-2133
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2010-08-27 15:11 CDT
Last Modified: 2010-09-21 19:06 CDT
======================================================================
Summary: [patch] schedule_delivery calls
ast_bridged_channel() on an unlocked channel
Description:
Near the beginning of schedule_delivery(), ast_bridged_channel() is called
on iaxs[fr->callno]->owner; however, that channel is not locked, which can
result in ast_bridged_channel() crashing should owner->tech change to a
technology that doesn't implement bridged_channel. I spoke with briefly
with russellb on IRC who agreed that this usage is unsafe.
======================================================================
Relationships ID Summary
----------------------------------------------------------------------
has duplicate 0017920 schedule_delivery calls ast_bridged_cha...
======================================================================
----------------------------------------------------------------------
(0127262) svnbot (reporter) - 2010-09-21 19:06
https://issues.asterisk.org/view.php?id=17919#c127262
----------------------------------------------------------------------
Repository: asterisk
Revision: 288194
_U branches/1.8/
U branches/1.8/channels/chan_iax2.c
------------------------------------------------------------------------
r288194 | rmudgett | 2010-09-21 19:06:22 -0500 (Tue, 21 Sep 2010) | 40
lines
Merged revisions 288193 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
................
r288193 | rmudgett | 2010-09-21 19:03:37 -0500 (Tue, 21 Sep 2010) | 33
lines
Merged revisions 288192 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r288192 | rmudgett | 2010-09-21 18:55:58 -0500 (Tue, 21 Sep 2010) | 26
lines
In chan_iax2.c:schedule_delivery() calls ast_bridged_channel() on an
unlocked channel.
Near the beginning of schedule_delivery(), ast_bridged_channel() is
called
on iaxs[fr->callno]->owner. However, the channel is not locked, which
can
result in ast_bridged_channel() crashing should owner->tech change to
a
technology that doesn't implement bridged_channel.
I also fixed the other calls to ast_bridged_channel() in chan_iax2.c
since
the owner lock was not held there either.
Converted the existing channel deadlock avoidance to use
iax2_lock_owner(). Using the new function simplified some awkward
code.
In the process of fixing the locking on ast_bridged_channel(), I also
found a memory leak in socket_process() for v1.6.2 and v1.8. The
local
struct variable ies.vars is not freed on early/abnormal function
exits.
(closes issue https://issues.asterisk.org/view.php?id=17919)
Reported by: rain
Patches:
issue17919_v1.4.patch uploaded by rmudgett (license 664)
issue17919_w_leak_v1.6.2.patch uploaded by rmudgett (license
664)
issue17919_w_leak_v1.8.patch uploaded by rmudgett (license 664)
Review: https://reviewboard.asterisk.org/r/926/
........
................
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=288194
Issue History
Date Modified Username Field Change
======================================================================
2010-09-21 19:06 svnbot Checkin
2010-09-21 19:06 svnbot Note Added: 0127262
======================================================================
More information about the asterisk-bugs
mailing list