[asterisk-bugs] [Asterisk 0019359]: [patch] app_dial may double free a channel datastore

Asterisk Bug Tracker noreply at bugs.digium.com
Tue May 24 19:59:42 CDT 2011


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=19359 
====================================================================== 
Reported By:                kobaz
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   19359
Category:                   Applications/app_dial
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           1.8.4 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2011-05-24 18:13 CDT
Last Modified:              2011-05-24 19:59 CDT
====================================================================== 
Summary:                    [patch] app_dial may double free a channel datastore
Description: 
While a Dial() is running, a Bridge() is used to steal the call, there may
be a datastore that's freed by app_bridge and then also freed in app_dial.


====================================================================== 

---------------------------------------------------------------------- 
 (0135358) elguero (reporter) - 2011-05-24 19:59
 https://issues.asterisk.org/view.php?id=19359#c135358 
---------------------------------------------------------------------- 
This would be related to the fix committed for issue
https://issues.asterisk.org/view.php?id=19311.

There was a patch for that issue uploaded limiting the clearing of the
datastore to when a bridge did not happen (no answer, timeout, busy)
although the channel locking was missing from it.

But, the patch was not used and instead the original change to app_dial.c
that was made when adding the clearing of the dialed interfaces store to
features.c, were reverted resulting is this double free that you are
seeing.

Your patch is checking if it was freed no matter what and is probably
safer.

I just wanted to comment here in order to get the relations setup for
historical purposes.

I think this double-free was committed into other versions such as 1.4,
1.6.2 as well. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2011-05-24 19:59 elguero        Note Added: 0135358                          
======================================================================




More information about the asterisk-bugs mailing list