[Asterisk-code-review] pjproject bundled: Add patch for double free issue in timer... (asterisk[master])
Joshua C. Colp
asteriskteam at digium.com
Tue Jan 22 11:37:23 CST 2019
Joshua C. Colp has submitted this change and it was merged. ( https://gerrit.asterisk.org/10905 )
Change subject: pjproject_bundled: Add patch for double free issue in timer heap
......................................................................
pjproject_bundled: Add patch for double free issue in timer heap
Fixed #2172: Avoid double reference counter decrements in
timer in the scenario of race condition between
pj_timer_heap_cancel() and pj_timer_heap_poll().
Change-Id: If000e9438c83ac5084b678eb811e902c035bd2d8
---
A third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch
1 file changed, 42 insertions(+), 0 deletions(-)
Approvals:
Joshua C. Colp: Looks good to me, but someone else must approve; Approved for Submit
Sean Bright: Looks good to me, approved
diff --git a/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch b/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch
new file mode 100644
index 0000000..e394506
--- /dev/null
+++ b/third-party/pjproject/patches/0020-Fixed-2172-Avoid-double-reference-counter-decrements.patch
@@ -0,0 +1,42 @@
+From 1fed39fe1488abd654a5488b5e6ad59b4b973331 Mon Sep 17 00:00:00 2001
+From: nanang <nanang at localhost>
+Date: Tue, 8 Jan 2019 09:07:47 +0000
+Subject: [PATCH 1/5] Fixed #2172: Avoid double reference counter decrements in
+ timer in the scenario of race condition between pj_timer_heap_cancel() and
+ pj_timer_heap_poll().
+
+---
+ pjlib/src/pj/timer.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/pjlib/src/pj/timer.c b/pjlib/src/pj/timer.c
+index 90a95e37b..7bae084ef 100644
+--- a/pjlib/src/pj/timer.c
++++ b/pjlib/src/pj/timer.c
+@@ -580,13 +580,16 @@ static int cancel_timer(pj_timer_heap_t *ht,
+
+ lock_timer_heap(ht);
+ count = cancel(ht, entry, flags | F_DONT_CALL);
+- if (flags & F_SET_ID) {
+- entry->id = id_val;
+- }
+- if (entry->_grp_lock) {
+- pj_grp_lock_t *grp_lock = entry->_grp_lock;
+- entry->_grp_lock = NULL;
+- pj_grp_lock_dec_ref(grp_lock);
++ if (count > 0) {
++ /* Timer entry found & cancelled */
++ if (flags & F_SET_ID) {
++ entry->id = id_val;
++ }
++ if (entry->_grp_lock) {
++ pj_grp_lock_t *grp_lock = entry->_grp_lock;
++ entry->_grp_lock = NULL;
++ pj_grp_lock_dec_ref(grp_lock);
++ }
+ }
+ unlock_timer_heap(ht);
+
+--
+2.20.1
+
--
To view, visit https://gerrit.asterisk.org/10905
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: If000e9438c83ac5084b678eb811e902c035bd2d8
Gerrit-Change-Number: 10905
Gerrit-PatchSet: 1
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Friendly Automation (1000185)
Gerrit-Reviewer: Joshua C. Colp <jcolp at digium.com>
Gerrit-Reviewer: Sean Bright <sean.bright at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20190122/68f242c6/attachment-0001.html>
More information about the asterisk-code-review
mailing list