[svn-commits] rmudgett: branch 10 r361855 - in /branches/10: ./ channels/chan_dahdi.c
SVN commits to the Digium repositories
svn-commits at lists.digium.com
Tue Apr 10 16:47:46 CDT 2012
Author: rmudgett
Date: Tue Apr 10 16:47:42 2012
New Revision: 361855
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=361855
Log:
Prevent invalid access of free'd memory if DAHDI channel during an MWI event
In the MWI processing loop, when a valid event occurs the temporary caller ID
information is deallocated. If a new DAHDI channel is successfully created,
the event is passed up to the analog_ss_thread without error and the loop
exits. If, however, the DAHDI channel is not created, then the caller ID
struct has been free'd, and the gains reset to their previous level. This
will almost certainly cause an invalid access to the free'd memory, either
in subsequent calls to callerid_free or calls to callerid_feed.
* Rework the -r361705 patch to better manage the cs and mtd allocated
resources.
* Fixed use of mwimonitoractive flag to be correct if the mwi_thread()
fails to start.
........
Merged revisions 361854 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Modified:
branches/10/ (props changed)
branches/10/channels/chan_dahdi.c
Propchange: branches/10/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.
Modified: branches/10/channels/chan_dahdi.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/chan_dahdi.c?view=diff&rev=361855&r1=361854&r2=361855
==============================================================================
--- branches/10/channels/chan_dahdi.c (original)
+++ branches/10/channels/chan_dahdi.c Tue Apr 10 16:47:42 2012
@@ -11091,9 +11091,7 @@
struct ast_format tmpfmt;
if (!(cs = callerid_new(mtd->pvt->cid_signalling))) {
- mtd->pvt->mwimonitoractive = 0;
-
- return NULL;
+ goto quit_no_clean;
}
callerid_feed(cs, mtd->buf, mtd->len, ast_format_set(&tmpfmt, AST_LAW(mtd->pvt), 0));
@@ -11142,6 +11140,7 @@
break; /* What to do on channel alarm ???? -- fall thru intentionally?? */
default:
ast_log(LOG_NOTICE, "Got event %d (%s)... Passing along to analog_ss_thread\n", res, event2str(res));
+ callerid_free(cs);
restore_gains(mtd->pvt);
mtd->pvt->ringt = mtd->pvt->ringt_base;
@@ -11149,7 +11148,6 @@
if ((chan = dahdi_new(mtd->pvt, AST_STATE_RING, 0, SUB_REAL, 0, NULL))) {
int result;
- callerid_free(cs);
if (analog_lib_handles(mtd->pvt->sig, mtd->pvt->radio, mtd->pvt->oprmode)) {
result = analog_ss_thread_start(mtd->pvt->sig_pvt, chan);
} else {
@@ -11161,15 +11159,11 @@
if (res < 0)
ast_log(LOG_WARNING, "Unable to play congestion tone on channel %d\n", mtd->pvt->channel);
ast_hangup(chan);
- goto quit;
}
- goto quit_no_clean;
-
} else {
- /* Bump the gains back */
- bump_gains(mtd->pvt);
ast_log(LOG_WARNING, "Could not create channel to handle call\n");
}
+ goto quit_no_clean;
}
} else if (i & DAHDI_IOMUX_READ) {
if ((res = read(mtd->pvt->subs[SUB_REAL].dfd, mtd->buf, sizeof(mtd->buf))) < 0) {
@@ -11224,7 +11218,6 @@
quit_no_clean:
mtd->pvt->mwimonitoractive = 0;
-
ast_free(mtd);
return NULL;
@@ -11887,11 +11880,12 @@
mtd->pvt = i;
memcpy(mtd->buf, buf, res);
mtd->len = res;
+ i->mwimonitoractive = 1;
if (ast_pthread_create_background(&threadid, &attr, mwi_thread, mtd)) {
ast_log(LOG_WARNING, "Unable to start mwi thread on channel %d\n", i->channel);
+ i->mwimonitoractive = 0;
ast_free(mtd);
}
- i->mwimonitoractive = 1;
}
}
/* If configured to check for a DTMF CID spill that comes without alert (e.g no polarity reversal) */
More information about the svn-commits
mailing list