[Asterisk-code-review] Bridging: Use a ref to bridge_channel's channel to prevent crash. (asterisk[13])

Benjamin Keith Ford asteriskteam at digium.com
Mon Aug 31 11:20:35 CDT 2020 

Benjamin Keith Ford has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/14885 )


Change subject: Bridging: Use a ref to bridge_channel's channel to prevent crash.
......................................................................

Bridging: Use a ref to bridge_channel's channel to prevent crash.

There's a race condition with bridging where a bridge can be torn down
causing the bridge_channel's ast_channel to become NULL when it's still
needed. This particular case happened with attended transfers, but the
crash occurred when trying to publish a stasis message. Now, the
bridge_channel is locked, a ref to the ast_channel is obtained, and that
ref is passed down the chain.

Change-Id: Ic48715c0c041615d17d286790ae3e8c61bb28814
---
M include/asterisk/bridge_channel.h
M main/bridge.c
M main/bridge_channel.c
3 files changed, 39 insertions(+), 3 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/85/14885/1

diff --git a/include/asterisk/bridge_channel.h b/include/asterisk/bridge_channel.h
index a16695e..d23ea0f 100644
--- a/include/asterisk/bridge_channel.h
+++ b/include/asterisk/bridge_channel.h
@@ -177,6 +177,16 @@
 };
 
 /*!
+ * \brief Get a ref to the bridge_channel's ast_channel
+ *
+ * \param bridge_channel The bridge channel
+ *
+ * \retval ref'd ast_channel on success
+ * \retval NULL otherwise
+ */
+struct ast_channel *ast_bridge_channel_get_chan(struct ast_bridge_channel *bridge_channel);
+
+/*!
  * \brief Try locking the bridge_channel.
  *
  * \param bridge_channel What to try locking
diff --git a/main/bridge.c b/main/bridge.c
index 23f682c..c9b0856 100644
--- a/main/bridge.c
+++ b/main/bridge.c
@@ -4679,14 +4679,22 @@
 
 	if (to_transferee_bridge_channel) {
 		/* Take off hold if they are on hold. */
-		ast_bridge_channel_write_unhold(to_transferee_bridge_channel);
+		if (ast_bridge_channel_write_unhold(to_transferee_bridge_channel)) {
+			ast_log(LOG_ERROR, "Transferee channel disappeared during transfer!\n");
+			res = AST_BRIDGE_TRANSFER_FAIL;
+			goto end;
+		}
 	}
 
 	if (to_target_bridge_channel) {
 		const char *target_complete_sound;
 
 		/* Take off hold if they are on hold. */
-		ast_bridge_channel_write_unhold(to_target_bridge_channel);
+		if (ast_bridge_channel_write_unhold(to_target_bridge_channel)) {
+			ast_log(LOG_ERROR, "Target channel disappeared during transfer!\n");
+			res = AST_BRIDGE_TRANSFER_FAIL;
+			goto end;
+		}
 
 		/* Is there a courtesy sound to play to the target? */
 		ast_channel_lock(to_transfer_target);
diff --git a/main/bridge_channel.c b/main/bridge_channel.c
index b6ee820..fc03413 100644
--- a/main/bridge_channel.c
+++ b/main/bridge_channel.c
@@ -209,6 +209,17 @@
 	ast_sem_post(&sync_struct->sem);
 }
 
+struct ast_channel *ast_bridge_channel_get_chan(struct ast_bridge_channel *bridge_channel)
+{
+	struct ast_channel *chan;
+
+	ao2_lock(bridge_channel);
+	chan = ao2_bump(bridge_channel->chan);
+	ao2_unlock(bridge_channel);
+
+	return chan;
+}
+
 void ast_bridge_channel_lock_bridge(struct ast_bridge_channel *bridge_channel)
 {
 	struct ast_bridge *bridge;
@@ -1096,7 +1107,14 @@
 
 int ast_bridge_channel_write_unhold(struct ast_bridge_channel *bridge_channel)
 {
-	ast_channel_publish_cached_blob(bridge_channel->chan, ast_channel_unhold_type(), NULL);
+	struct ast_channel *chan = ast_bridge_channel_get_chan(bridge_channel);
+
+	if (!chan) {
+		return -1;
+	}
+
+	ast_channel_publish_cached_blob(chan, ast_channel_unhold_type(), NULL);
+	ao2_ref(chan, -1);
 
 	return ast_bridge_channel_write_control_data(bridge_channel, AST_CONTROL_UNHOLD, NULL, 0);
 }

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/14885
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Change-Id: Ic48715c0c041615d17d286790ae3e8c61bb28814
Gerrit-Change-Number: 14885
Gerrit-PatchSet: 1
Gerrit-Owner: Benjamin Keith Ford <bford at digium.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20200831/6bbb8751/attachment.html>

More information about the asterisk-code-review mailing list