[svn-commits] rmudgett: branch 1.8 r361854 -	/branches/1.8/channels/chan_dahdi.c
    SVN commits to the Digium repositories 
    svn-commits at lists.digium.com
       
    Tue Apr 10 16:43:58 CDT 2012
    
    
  
Author: rmudgett
Date: Tue Apr 10 16:43:53 2012
New Revision: 361854
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=361854
Log:
Prevent invalid access of free'd memory if DAHDI channel during an MWI event
In the MWI processing loop, when a valid event occurs the temporary caller ID
information is deallocated.  If a new DAHDI channel is successfully created,
the event is passed up to the analog_ss_thread without error and the loop
exits.  If, however, the DAHDI channel is not created, then the caller ID
struct has been free'd, and the gains reset to their previous level.  This
will almost certainly cause an invalid access to the free'd memory, either
in subsequent calls to callerid_free or calls to callerid_feed.
* Rework the -r361705 patch to better manage the cs and mtd allocated
resources.
* Fixed use of mwimonitoractive flag to be correct if the mwi_thread()
fails to start.
Modified:
    branches/1.8/channels/chan_dahdi.c
Modified: branches/1.8/channels/chan_dahdi.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/channels/chan_dahdi.c?view=diff&rev=361854&r1=361853&r2=361854
==============================================================================
--- branches/1.8/channels/chan_dahdi.c (original)
+++ branches/1.8/channels/chan_dahdi.c Tue Apr 10 16:43:53 2012
@@ -11005,9 +11005,7 @@
 	int spill_result = -1;
 
 	if (!(cs = callerid_new(mtd->pvt->cid_signalling))) {
-		mtd->pvt->mwimonitoractive = 0;
-
-		return NULL;
+		goto quit_no_clean;
 	}
 
 	callerid_feed(cs, mtd->buf, mtd->len, AST_LAW(mtd->pvt));
@@ -11056,6 +11054,7 @@
 				break; /* What to do on channel alarm ???? -- fall thru intentionally?? */
 			default:
 				ast_log(LOG_NOTICE, "Got event %d (%s)...  Passing along to analog_ss_thread\n", res, event2str(res));
+				callerid_free(cs);
 
 				restore_gains(mtd->pvt);
 				mtd->pvt->ringt = mtd->pvt->ringt_base;
@@ -11063,7 +11062,6 @@
 				if ((chan = dahdi_new(mtd->pvt, AST_STATE_RING, 0, SUB_REAL, 0, NULL))) {
 					int result;
 
-					callerid_free(cs);
 					if (analog_lib_handles(mtd->pvt->sig, mtd->pvt->radio, mtd->pvt->oprmode)) {
 						result = analog_ss_thread_start(mtd->pvt->sig_pvt, chan);
 					} else {
@@ -11075,15 +11073,11 @@
 						if (res < 0)
 							ast_log(LOG_WARNING, "Unable to play congestion tone on channel %d\n", mtd->pvt->channel);
 						ast_hangup(chan);
-						goto quit;
 					}
-					goto quit_no_clean;
-
 				} else {
-					/* Bump the gains back */
-					bump_gains(mtd->pvt);
 					ast_log(LOG_WARNING, "Could not create channel to handle call\n");
 				}
+				goto quit_no_clean;
 			}
 		} else if (i & DAHDI_IOMUX_READ) {
 			if ((res = read(mtd->pvt->subs[SUB_REAL].dfd, mtd->buf, sizeof(mtd->buf))) < 0) {
@@ -11138,7 +11132,6 @@
 
 quit_no_clean:
 	mtd->pvt->mwimonitoractive = 0;
-
 	ast_free(mtd);
 
 	return NULL;
@@ -11800,11 +11793,12 @@
 									mtd->pvt = i;
 									memcpy(mtd->buf, buf, res);
 									mtd->len = res;
+									i->mwimonitoractive = 1;
 									if (ast_pthread_create_background(&threadid, &attr, mwi_thread, mtd)) {
 										ast_log(LOG_WARNING, "Unable to start mwi thread on channel %d\n", i->channel);
+										i->mwimonitoractive = 0;
 										ast_free(mtd);
 									}
-									i->mwimonitoractive = 1;
 								}
 							}
 						/* If configured to check for a DTMF CID spill that comes without alert (e.g no polarity reversal) */
    
    
More information about the svn-commits
mailing list