<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15038">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  Joshua Colp: Looks good to me, but someone else must approve
  Kevin Harwell: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved; Approved for Submit

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data<br><br>The data can be freed if the old object '_data' is the same object as<br>new 'data'. Because at first the object is unreferenced which can lead<br>to destroying it.<br><br>This could happened in res_pjsip_pubsub when the publication is updated<br>which could lead to segfault in function publish_expire.<br><br>Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da<br>---<br>M include/asterisk/sched.h<br>1 file changed, 3 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/asterisk/sched.h b/include/asterisk/sched.h</span><br><span>index 7ea6709..60a6605 100644</span><br><span>--- a/include/asterisk/sched.h</span><br><span>+++ b/include/asterisk/sched.h</span><br><span>@@ -136,11 +136,12 @@</span><br><span>           while (id > -1 && (_res = ast_sched_del(sched, id) && _count++ < 10)) { \</span><br><span>                      usleep(1); \</span><br><span>                 } \</span><br><span style="color: hsl(0, 100%, 40%);">-             if (!_res && _data)                                                     \</span><br><span style="color: hsl(120, 100%, 40%);">+             if (!_res && _data && _data != data)                                    \</span><br><span>                    unrefcall;      /* should ref _data! */         \</span><br><span>            if (_count == 10) \</span><br><span>                  ast_log(LOG_WARNING, "Unable to cancel schedule ID %d.  This is probably a bug (%s: %s, line %d).\n", id, __FILE__, __PRETTY_FUNCTION__, __LINE__); \</span><br><span style="color: hsl(0, 100%, 40%);">-         refcall; \</span><br><span style="color: hsl(120, 100%, 40%);">+            if (_data != data) \</span><br><span style="color: hsl(120, 100%, 40%);">+                  refcall; \</span><br><span>           id = ast_sched_add_variable(sched, when, callback, data, variable); \</span><br><span>                if (id == -1)  \</span><br><span>                     addfailcall;    \</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15038">change 15038</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15038"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16 </div>
<div style="display:none"> Gerrit-Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da </div>
<div style="display:none"> Gerrit-Change-Number: 15038 </div>
<div style="display:none"> Gerrit-PatchSet: 5 </div>
<div style="display:none"> Gerrit-Owner: Alexei Gradinari <alex2grad@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Richard Mudgett <rmudgett@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>