[Asterisk-code-review] bridge_channel_write_frame: Check for NULL channel (asterisk[master])

Joshua Colp asteriskteam at digium.com
Mon Apr 5 07:52:43 CDT 2021 

Joshua Colp has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/15743 )

Change subject: bridge_channel_write_frame: Check for NULL channel
......................................................................

bridge_channel_write_frame: Check for NULL channel

There is a possibility, when bridge_channel_write_frame() is
called, that the bridge_channel->chan will be NULL.  The first
thing bridge_channel_write_frame() does though is call
ast_channel_is_multistream() which had no check for a NULL
channel and therefore caused a segfault. Since it's still
possible for bridge_channel_write_frame() to write the frame to
the other channels in the bridge, we don't want to bail before we
call ast_channel_is_multistream() but we can just skip the
multi-channel stuff.  So...

bridge_channel_write_frame() only calls ast_channel_is_multistream()
if bridge_channel->chan is not NULL.

As a safety measure, ast_channel_is_multistream() now returns
false if the supplied channel is NULL.

ASTERISK-29379
Reported-by: Vyrva Igor
Reported-by: Ross Beer

Change-Id: Idfe62dbea8c69813ecfd58e113a6620dc42352ce
---
M main/bridge_channel.c
M main/channel_internal_api.c
2 files changed, 9 insertions(+), 5 deletions(-)

Approvals:
  Joshua Colp: Looks good to me, approved; Approved for Submit
  Kevin Harwell: Looks good to me, but someone else must approve
  Benjamin Keith Ford: Looks good to me, but someone else must approve



diff --git a/main/bridge_channel.c b/main/bridge_channel.c
index 3c5e87b..7e058af 100644
--- a/main/bridge_channel.c
+++ b/main/bridge_channel.c
@@ -657,8 +657,13 @@
 
 	ast_bridge_channel_lock_bridge(bridge_channel);
 
-	/* Map the frame to the bridge. */
-	if (ast_channel_is_multistream(bridge_channel->chan)) {
+	/*
+	 * Map the frame to the bridge.
+	 * We need to lock the bridge_channel to make sure that bridge_channel->chan
+	 * isn't NULL and keep it locked while we do multistream processing.
+	 */
+	ast_bridge_channel_lock(bridge_channel);
+	if (bridge_channel->chan && ast_channel_is_multistream(bridge_channel->chan)) {
 		unmapped_stream_num = frame->stream_num;
 		switch (frame->frametype) {
 		case AST_FRAME_VOICE:
@@ -672,12 +677,10 @@
 				frame->stream_num = -1;
 				break;
 			}
-			ast_bridge_channel_lock(bridge_channel);
 			if (frame->stream_num < (int)AST_VECTOR_SIZE(&bridge_channel->stream_map.to_bridge)) {
 				frame->stream_num = AST_VECTOR_GET(
 					&bridge_channel->stream_map.to_bridge, frame->stream_num);
 				if (0 <= frame->stream_num) {
-					ast_bridge_channel_unlock(bridge_channel);
 					break;
 				}
 			}
@@ -703,6 +706,7 @@
 		unmapped_stream_num = -1;
 		frame->stream_num = -1;
 	}
+	ast_bridge_channel_unlock(bridge_channel);
 
 	deferred = bridge_channel->bridge->technology->write(bridge_channel->bridge, bridge_channel, frame);
 	if (deferred) {
diff --git a/main/channel_internal_api.c b/main/channel_internal_api.c
index fb62da5..a84534a 100644
--- a/main/channel_internal_api.c
+++ b/main/channel_internal_api.c
@@ -1642,7 +1642,7 @@
 
 int ast_channel_is_multistream(struct ast_channel *chan)
 {
-	return (chan->tech && chan->tech->read_stream && chan->tech->write_stream);
+	return (chan && chan->tech && chan->tech->read_stream && chan->tech->write_stream);
 }
 
 struct ast_channel_snapshot *ast_channel_snapshot(const struct ast_channel *chan)

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15743
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: Idfe62dbea8c69813ecfd58e113a6620dc42352ce
Gerrit-Change-Number: 15743
Gerrit-PatchSet: 3
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210405/53008516/attachment.html>

More information about the asterisk-code-review mailing list