[Asterisk-code-review] stasis: Cancel the callback when joining the bridge fails (...asterisk[16.3])

Holger Hans Peter Freyther asteriskteam at digium.com
Wed Apr 10 01:11:56 CDT 2019 

Holger Hans Peter Freyther has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/11254


Change subject: stasis: Cancel the callback when joining the bridge fails
......................................................................

stasis: Cancel the callback when joining the bridge fails

After a bridge has been deleted the stasis control will depart
the channel and might attempt to re-add it to the dial bridge.

The later can fail and this can lead to a situation that the stasis
control is unlinked but the after_bridge_cb_failed cb is executed trying
to access a dangling control object.

Fix it by discarding the callback when the imparting into the dial
bridge can fail. This is avoiding a crash and understanding why it can't
be added to the dial bridge (is it still there?) is next.

ASTERISK-26718

bridge_impart_internal: Channel PJSIP/endpoint-00000004 has a PBX thread
and cannot be imparted into bridge

==18524== Invalid read of size 8
==18524==    at 0x17AC35F1: dial_bridge_after_cb_failed (control.c:1044)
==18524==    by 0x18D287: after_bridge_cb_failed (bridge_after.c:70)
==18524==    by 0x18D287: after_bridge_cb_run_discard (bridge_after.c:99)
==18524==    by 0x18D287: after_bridge_cb_destroy (bridge_after.c:117)
==18524==    by 0x1E6CCB: ast_datastore_free (datastore.c:74)
==18524==    by 0x1B3985: ast_channel_destructor (channel.c:2243)
==18524==    by 0x171CBF: __ao2_ref (astobj2.c:614)
==18524==    by 0x1BB9CDEC: hangup_data_destroy (chan_pjsip.c:2313)
==18524==    by 0x171CBF: __ao2_ref (astobj2.c:614)
==18524==    by 0x1BBA172F: hangup (chan_pjsip.c:2355)
==18524==    by 0x2B54B7: ast_taskprocessor_execute (taskprocessor.c:1185)
==18524==    by 0x2BC24F: execute_tasks (threadpool.c:1354)
==18524==    by 0x2B54B7: ast_taskprocessor_execute (taskprocessor.c:1185)
==18524==    by 0x2BCAB3: threadpool_execute (threadpool.c:367)
==18524==    by 0x2BCAB3: worker_active (threadpool.c:1137)
==18524==    by 0x2BCAB3: worker_start (threadpool.c:1056)
==18524==  Address 0xeb0ae08 is 120 bytes inside a block of size 352 free'd
==18524==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==18524==    by 0x171FFE: __ao2_ref (astobj2.c:631)
==18524==    by 0x17AB9468: control_unlink (res_stasis.c:765)
==18524==    by 0x17AB9468: stasis_app_exec (res_stasis.c:1607)
==18524==    by 0x184E4B75: app_exec (app_stasis.c:105)
==18524==    by 0x24E168: pbx_exec (pbx_app.c:492)
==18524==    by 0x2411D6: pbx_extension_helper.constprop.42 (pbx.c:2927)
==18524==    by 0x2435C1: ast_spawn_extension (pbx.c:4177)
==18524==    by 0x2435C1: __ast_pbx_run (pbx.c:4351)
==18524==    by 0x244C1A: pbx_thread (pbx.c:4673)
==18524==    by 0x2C4E7B: dummy_start (utils.c:1249)
==18524==    by 0x6EA64A3: start_thread (pthread_create.c:456)
==18524==    by 0x82DCD0E: clone (clone.S:97)

Change-Id: Ib4e8f70d7a21bd54afe3cb51cc6717ef7c355496
---
M res/stasis/control.c
1 file changed, 1 insertion(+), 0 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/54/11254/1

diff --git a/res/stasis/control.c b/res/stasis/control.c
index 866b58e..ffac8d4 100644
--- a/res/stasis/control.c
+++ b/res/stasis/control.c
@@ -1065,6 +1065,7 @@
 	control->bridge = bridge;
 	ast_bridge_set_after_callback(chan, dial_bridge_after_cb, dial_bridge_after_cb_failed, control);
 	if (ast_bridge_impart(bridge, chan, NULL, NULL, AST_BRIDGE_IMPART_CHAN_DEPARTABLE)) {
+		ast_bridge_discard_after_callback(chan, AST_BRIDGE_AFTER_CB_REASON_IMPART_FAILED);
 		control->bridge = NULL;
 		ao2_ref(bridge, -1);
 		return -1;

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/11254
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 16.3
Gerrit-Change-Id: Ib4e8f70d7a21bd54afe3cb51cc6717ef7c355496
Gerrit-Change-Number: 11254
Gerrit-PatchSet: 1
Gerrit-Owner: Holger Hans Peter Freyther <automatic at freyther.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20190410/e00b8ec8/attachment-0001.html>

More information about the asterisk-code-review mailing list