[Asterisk-code-review] Prevent potential crash on blond transfer. (asterisk[certified/13.1])

Matt Jordan asteriskteam at digium.com
Fri May 1 06:55:09 CDT 2015


Matt Jordan has submitted this change and it was merged.

Change subject: Prevent potential crash on blond transfer.
......................................................................


Prevent potential crash on blond transfer.

Scenario:
Alice calls Bob. Bob performs a blond transfer to Carol. Carol rejects
the incoming call (or some other immediate circumstance causes Carol not
to answer the call)

What occurs in this case is that when the bridge between Alice and Bob
breaks, Alice is told to masquerade into Bob's channel that had placed
the call to Carol. The actual masquerade goes down without a hitch.
However, a channel fixup callback that attempts to publish dial events
over Stasis has a crash. The reason for this crash is that the datastore
on Bob's channel that placed the outbound call to Carol only had a bare
pointer to Carol's channel. Since Carol rejected the incoming call,
Carol's channel has been hung up and freed, meaning accessing her
channel results in a crash.

The fix here is simple. The dial fixup code has been altered to hold
references to the involved channels and to drop those references when
freeing data.

ASTERISK-25025 #close
Reported by Chet Stevens

Change-Id: I54eedda207b8ec7a69263353b43abe5746aea197
---
M main/stasis_channels.c
1 file changed, 4 insertions(+), 3 deletions(-)

Approvals:
  Richard Mudgett: Looks good to me, but someone else must approve
  Matt Jordan: Looks good to me, approved; Verified



diff --git a/main/stasis_channels.c b/main/stasis_channels.c
index 6b3f765..ab29171 100644
--- a/main/stasis_channels.c
+++ b/main/stasis_channels.c
@@ -1279,6 +1279,7 @@
 		return;
 	}
 	ast_free(doomed->dialstring);
+	ast_channel_cleanup(doomed->peer);
 	ast_free(doomed);
 }
 
@@ -1301,7 +1302,7 @@
 	while ((cur = AST_LIST_REMOVE_HEAD(&masq_data->dialed_peers, list))) {
 		dial_target_free(cur);
 	}
-	masq_data->caller = NULL;
+	masq_data->caller = ast_channel_cleanup(masq_data->caller);
 }
 
 static void dial_masquerade_datastore_remove_chan(struct dial_masquerade_datastore *masq_data, struct ast_channel *chan)
@@ -1509,7 +1510,7 @@
 			ast_datastore_free(datastore);
 			return NULL;
 		}
-		masq_data->caller = chan;
+		masq_data->caller = ast_channel_ref(chan);
 	}
 
 	datastore->data = masq_data;
@@ -1557,7 +1558,7 @@
 			return -1;
 		}
 	}
-	target->peer = peer;
+	target->peer = ast_channel_ref(peer);
 
 	/* Put peer target into datastore */
 	ao2_lock(masq_data);

-- 
To view, visit https://gerrit.asterisk.org/323
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I54eedda207b8ec7a69263353b43abe5746aea197
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: certified/13.1
Gerrit-Owner: Mark Michelson <mmichelson at digium.com>
Gerrit-Reviewer: Matt Jordan <mjordan at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>



More information about the asterisk-code-review mailing list