<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15038">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Joshua Colp: Looks good to me, but someone else must approve
Kevin Harwell: Looks good to me, but someone else must approve
George Joseph: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data<br><br>The data can be freed if the old object '_data' is the same object as<br>new 'data'. Because at first the object is unreferenced which can lead<br>to destroying it.<br><br>This could happened in res_pjsip_pubsub when the publication is updated<br>which could lead to segfault in function publish_expire.<br><br>Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da<br>---<br>M include/asterisk/sched.h<br>1 file changed, 3 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/asterisk/sched.h b/include/asterisk/sched.h</span><br><span>index 7ea6709..60a6605 100644</span><br><span>--- a/include/asterisk/sched.h</span><br><span>+++ b/include/asterisk/sched.h</span><br><span>@@ -136,11 +136,12 @@</span><br><span> while (id > -1 && (_res = ast_sched_del(sched, id) && _count++ < 10)) { \</span><br><span> usleep(1); \</span><br><span> } \</span><br><span style="color: hsl(0, 100%, 40%);">- if (!_res && _data) \</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!_res && _data && _data != data) \</span><br><span> unrefcall; /* should ref _data! */ \</span><br><span> if (_count == 10) \</span><br><span> ast_log(LOG_WARNING, "Unable to cancel schedule ID %d. This is probably a bug (%s: %s, line %d).\n", id, __FILE__, __PRETTY_FUNCTION__, __LINE__); \</span><br><span style="color: hsl(0, 100%, 40%);">- refcall; \</span><br><span style="color: hsl(120, 100%, 40%);">+ if (_data != data) \</span><br><span style="color: hsl(120, 100%, 40%);">+ refcall; \</span><br><span> id = ast_sched_add_variable(sched, when, callback, data, variable); \</span><br><span> if (id == -1) \</span><br><span> addfailcall; \</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15038">change 15038</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15038"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16 </div>
<div style="display:none"> Gerrit-Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da </div>
<div style="display:none"> Gerrit-Change-Number: 15038 </div>
<div style="display:none"> Gerrit-PatchSet: 5 </div>
<div style="display:none"> Gerrit-Owner: Alexei Gradinari <alex2grad@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Richard Mudgett <rmudgett@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>