[asterisk-dev] Asterisk crashes due to non-atomic check on chan_iax.c:schedule_delivery

[Guillermo Winkler]

It may happen on hangup or if the user press a digit during the 
call(bridge is temporarily on NULL) that this condition may be true for 
the first check and false on the second one.

ast_bridged_channel(iaxs[fr->callno]->owner) &&
        (ast_bridged_channel(iaxs[fr->callno]->owner)->tech->properties

Bringing asterisk down.

thread 1:
(gdb) bt
0 0x00afe197 in schedule_delivery (fr=0xa7c2e798, updatehistory=Variable 
"updatehistory" is not available.
) at chan_iax2.c:2425
1 0x00b0d53d in socket_read (id=0x8b7b1c0, fd=260, events=1, 
cbdata=0x8b7bab8) at chan_iax2.c:7741
2 0x08055bef in ast_io_wait (ioc=0x8b79ca0, howlong=0) at io.c:284
3 0x00b04f0f in network_thread (ignore=0x0) at chan_iax2.c:8110

(gdb) print iaxs[fr->callno]->owner
$3 = (struct ast_channel *) 0x927c708
(gdb) print iaxs[fr->callno]->owner->_bridge
$4 = (struct ast_channel *) 0x0

thread 2:
(gdb) bt
0 0x0075fdf7 in pthread_mutex_lock () from /lib/tls/libpthread.so.0
1 0x08055fe1 in sched_context_destroy (con=0x8bb81a0) at lock.h:601
2 0x0806816e in ast_hangup (chan=0x927c708) at channel.c:1355


The following patch temporarily solves the problem.

owner = iaxs[fr->callno]->owner;
    if (owner) {
        bridge = ast_bridged_channel(owner);
    }
    /* if the user hasn't requested we force the use of the 
jitterbuffer, and we're bridged to
     * a channel that can accept jitter, then flush and suspend the jb, 
and send this frame straight through */
    if( (!ast_test_flag(iaxs[fr->callno], IAX_FORCEJITTERBUF)) && owner 
&& bridge && bridge->tech->properties & AST_CHAN_TP_WANTSJITTER)) {
   
Comments?

Regards,
Guille


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.