[asterisk-dev] [svn-commits] mmichelson: branch 1.4 r120285 - /branches/1.4/apps/app_queue.c
Russell Bryant
russell at digium.com
Wed Jun 4 10:35:36 CDT 2008
SVN commits to the Digium repositories wrote:
> Modified: branches/1.4/apps/app_queue.c
> URL: http://svn.digium.com/view/asterisk/branches/1.4/apps/app_queue.c?view=diff&rev=120285&r1=120284&r2=120285
> ==============================================================================
> --- branches/1.4/apps/app_queue.c (original)
> +++ branches/1.4/apps/app_queue.c Wed Jun 4 09:11:12 2008
> @@ -4815,7 +4815,7 @@
> if (++which > state) {
> char *tmp;
> ast_mutex_unlock(&q->lock);
> - tmp = m->membername;
> + tmp = m->interface;
> ao2_ref(m, -1);
> return ast_strdup(tmp);
> }
There is a bug in this code. Even though m is not dereferenced after
the reference to m is released, tmp still points to data that is a part
of m, which may not be valid after the reference is released. The code
should be ...
tmp = ast_strdup(m->interface);
ao2_ref(m, -1);
return tmp;
--
Russell Bryant
Senior Software Engineer
Open Source Team Lead
Digium, Inc.
More information about the asterisk-dev
mailing list