[asterisk-commits] mjordan: trunk r434293 - in /trunk: ./ channels/chan_iax2.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Wed Apr 8 07:00:38 CDT 2015 

Author: mjordan
Date: Wed Apr  8 07:00:35 2015
New Revision: 434293

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=434293
Log:
chan_iax2: Fix crash caused by unprotected access to iaxs[peer->callno]

This patch fixes an access to the peer callnumber that is unprotected by a
corresponding mutex. The peer->callno value can be changed by multiple threads,
and all data inside the iaxs array must be procted by a corresponding lock
of iaxsl.

The patch moves the unprotected access to a location where the mutex is
safely obtained.

Review: https://reviewboard.asterisk.org/r/4599/

ASTERISK-21211 #close
Reported by: Jaco Kroon
patches:
  asterisk-11.2.1-iax2_poke-segfault.diff submitted by Jaco Kroon (License 5671)
........

Merged revisions 434291 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 434292 from http://svn.asterisk.org/svn/asterisk/branches/13

Modified:
    trunk/   (props changed)
    trunk/channels/chan_iax2.c

Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-13-merged' - no diff available.

Modified: trunk/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/trunk/channels/chan_iax2.c?view=diff&rev=434293&r1=434292&r2=434293
==============================================================================
--- trunk/channels/chan_iax2.c (original)
+++ trunk/channels/chan_iax2.c Wed Apr  8 07:00:35 2015
@@ -12325,14 +12325,10 @@
 	callno = peer->callno = find_callno(0, 0, &peer->addr, NEW_FORCE, peer->sockfd, 0);
 	if (heldcall)
 		ast_mutex_lock(&iaxsl[heldcall]);
-	if (peer->callno < 1) {
+	if (callno < 1) {
 		ast_log(LOG_WARNING, "Unable to allocate call for poking peer '%s'\n", peer->name);
 		return -1;
 	}
-
-	/* Speed up retransmission times for this qualify call */
-	iaxs[peer->callno]->pingtime = peer->maxms / 4 + 1;
-	iaxs[peer->callno]->peerpoke = peer;
 
 	if (peer->pokeexpire > -1) {
 		if (!AST_SCHED_DEL(sched, peer->pokeexpire)) {
@@ -12354,6 +12350,10 @@
 	/* And send the poke */
 	ast_mutex_lock(&iaxsl[callno]);
 	if (iaxs[callno]) {
+		/* Speed up retransmission times for this qualify call */
+		iaxs[callno]->pingtime = peer->maxms / 4 + 1;
+		iaxs[callno]->peerpoke = peer;
+
 		struct iax_ie_data ied = {
 			.buf = { 0 },
 			.pos = 0,

More information about the asterisk-commits mailing list