[asterisk-bugs] [JIRA] (ASTERISK-27229) Crash due to duplicate free in ast_bridge_update_talker_src_video_mode

Richard Kenner (JIRA) noreply at issues.asterisk.org
Fri Sep 1 17:26:07 CDT 2017 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-27229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Kenner updated ASTERISK-27229:
--------------------------------------

    Description: 
I've had two Asterisk crashes today that seem to be caused by errors
where chan->tech_pvt is pointing to something that can't be deallocated
and I think I see a reference count bug in the above function.

It contains:

{noformat}
                if (data->chan_old_vsrc) {
                        ast_channel_unref(data->chan_old_vsrc);
                }
{noformat}

Shouldn't this also have:

{noformat}
                        data->chan_old_vsrc = NULL;
{noformat}

It seems to me that if it doesn't and the next condition also isn't
true, then the next time this same code is executed, it'll decrement
the reference count of the old channel again, which is wrong since it
hasn't been decremented.

  was:
I've had two Asterisk crashes today that seem to be caused by errors
where chan->tech_pvt is pointing to something that can't be deallocated
and I think I see a reference count bug in the above function.

It contains:

                if (data->chan_old_vsrc) {
                        ast_channel_unref(data->chan_old_vsrc);
                }

Shouldn't this also have:

                        data->chan_old_vsrc = NULL;

It seems to me that if it doesn't and the next condition also isn't
true, then the next time this same code is executed, it'll decrement
the reference count of the old channel again, which is wrong since it
hasn't been decremented.


> Crash due to duplicate free in ast_bridge_update_talker_src_video_mode
> ----------------------------------------------------------------------
>
>                 Key: ASTERISK-27229
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27229
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/Bridging
>    Affects Versions: 14.6.0
>         Environment: CentOS 7
>            Reporter: Richard Kenner
>
> I've had two Asterisk crashes today that seem to be caused by errors
> where chan->tech_pvt is pointing to something that can't be deallocated
> and I think I see a reference count bug in the above function.
> It contains:
> {noformat}
>                 if (data->chan_old_vsrc) {
>                         ast_channel_unref(data->chan_old_vsrc);
>                 }
> {noformat}
> Shouldn't this also have:
> {noformat}
>                         data->chan_old_vsrc = NULL;
> {noformat}
> It seems to me that if it doesn't and the next condition also isn't
> true, then the next time this same code is executed, it'll decrement
> the reference count of the old channel again, which is wrong since it
> hasn't been decremented.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list