Author: mjordan Date: Wed Apr 8 07:00:35 2015 New Revision: 434293 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=434293 Log: chan_iax2: Fix crash caused by unprotected access to iaxs[peer->callno]
This patch fixes an access to the peer callnumber that is unprotected by a corresponding mutex. The peer->callno value can be changed by multiple threads, and all data inside the iaxs array must be procted by a corresponding lock of iaxsl. The patch moves the unprotected access to a location where the mutex is safely obtained. Review: https://reviewboard.asterisk.org/r/4599/ ASTERISK-21211 #close Reported by: Jaco Kroon patches: asterisk-11.2.1-iax2_poke-segfault.diff submitted by Jaco Kroon (License 5671) ........ Merged revisions 434291 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 434292 from http://svn.asterisk.org/svn/asterisk/branches/13 Modified: trunk/ (props changed) trunk/channels/chan_iax2.c Propchange: trunk/ ------------------------------------------------------------------------------ Binary property 'branch-13-merged' - no diff available. Modified: trunk/channels/chan_iax2.c URL: http://svnview.digium.com/svn/asterisk/trunk/channels/chan_iax2.c?view=diff&rev=434293&r1=434292&r2=434293 ============================================================================== --- trunk/channels/chan_iax2.c (original) +++ trunk/channels/chan_iax2.c Wed Apr 8 07:00:35 2015 @@ -12325,14 +12325,10 @@ callno = peer->callno = find_callno(0, 0, &peer->addr, NEW_FORCE, peer->sockfd, 0); if (heldcall) ast_mutex_lock(&iaxsl[heldcall]); - if (peer->callno < 1) { + if (callno < 1) { ast_log(LOG_WARNING, "Unable to allocate call for poking peer '%s'\n", peer->name); return -1; } - - /* Speed up retransmission times for this qualify call */ - iaxs[peer->callno]->pingtime = peer->maxms / 4 + 1; - iaxs[peer->callno]->peerpoke = peer; if (peer->pokeexpire > -1) { if (!AST_SCHED_DEL(sched, peer->pokeexpire)) { @@ -12354,6 +12350,10 @@ /* And send the poke */ ast_mutex_lock(&iaxsl[callno]); if (iaxs[callno]) { + /* Speed up retransmission times for this qualify call */ + iaxs[callno]->pingtime = peer->maxms / 4 + 1; + iaxs[callno]->peerpoke = peer; + struct iax_ie_data ied = { .buf = { 0 }, .pos = 0, -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
