Audit improper usage of scheduler exposed by 5c713fdf18f.

channels/chan_iax2.c:
* Initialize struct chan_iax2_pvt scheduler ids earlier because of
iax2_destroy_helper().

channels/chan_sip.c:
channels/sip/config_parser.c:
* Fix initialization of scheduler id struct members.  Some off nominal
paths had 0 as a scheduler id to be destroyed when it was never started.

chan_skinny.c:
* Fix some scheduler id comparisons that excluded the valid 0 id.

channel.c:
* Fix channel initialization of the video stream scheduler id.

pbx_dundi.c:
* Fix channel initialization of the packet retransmission scheduler id.

ASTERISK-25476

Change-Id: I07a3449f728f671d326a22fcbd071f150ba2e8c8

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index a492bddd354dd678d68acd7318d591001dbfb41c..3943d7246e3cf6ba79d7fdbcd61ea061f12549d8 100644 (file)
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -2139,25 +2139,26 @@ static struct chan_iax2_pvt *new_iax(struct sockaddr_in *sin, const char *host)
                return NULL;
        }
 
-       if (ast_string_field_init(tmp, 32)) {
-               ao2_ref(tmp, -1);
-               tmp = NULL;
-               return NULL;
-       }
-               
-       tmp->prefs = prefs;
        tmp->pingid = -1;
        tmp->lagid = -1;
        tmp->autoid = -1;
        tmp->authid = -1;
        tmp->initid = -1;
        tmp->keyrotateid = -1;
+       tmp->jbid = -1;
+
+       if (ast_string_field_init(tmp, 32)) {
+               ao2_ref(tmp, -1);
+               tmp = NULL;
+               return NULL;
+       }
+
+       tmp->prefs = prefs;
 
        ast_string_field_set(tmp,exten, "s");
        ast_string_field_set(tmp,host, host);
 
        tmp->jb = jb_new();
-       tmp->jbid = -1;
        jbconf.max_jitterbuf = maxjitterbuffer;
        jbconf.resync_threshold = resyncthreshold;
        jbconf.max_contig_interp = maxjitterinterps;

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index c47baf7c4ef9695e3b368926a7b3c5f0934144b5..b652cb2e705f0238bf1fde4f8fcaf459b3c97b6b 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -1083,6 +1083,7 @@ static int publish_expire(const void *data)
        ast_assert(esc != NULL);
 
        ao2_unlink(esc->compositor, esc_entry);
+       esc_entry->sched_id = -1;
        ao2_ref(esc_entry, -1);
        return 0;
 }
@@ -1115,6 +1116,11 @@ static struct sip_esc_entry *create_esc_entry(struct event_state_compositor *esc
        /* Bump refcount for scheduler */
        ao2_ref(esc_entry, +1);
        esc_entry->sched_id = ast_sched_add(sched, expires_ms, publish_expire, esc_entry);
+       if (esc_entry->sched_id == -1) {
+               ao2_ref(esc_entry, -1);
+               ao2_ref(esc_entry, -1);
+               return NULL;
+       }
 
        /* Note: This links the esc_entry into the ESC properly */
        create_new_sip_etag(esc_entry, 0);

diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c
index c64d8de505f3ea642e876fd60e6ff9e4008b9d23..d9b25779eaf3a5f0d0db34f007878dcec949f328 100644 (file)
--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -4374,7 +4374,7 @@ static int skinny_call(struct ast_channel *ast, const char *dest, int timeout)
 
        AST_LIST_TRAVERSE(ast_channel_varshead(ast), current, entries) {
                if (!(strcasecmp(ast_var_name(current),"SKINNY_AUTOANSWER"))) {
-                       if (d->hookstate == SKINNY_ONHOOK && !sub->aa_sched < 0) {
+                       if (d->hookstate == SKINNY_ONHOOK && sub->aa_sched < 0) {
                                char buf[24];
                                int aatime;
                                char *stringp = buf, *curstr;
@@ -4976,12 +4976,12 @@ static void setsubstate(struct skinny_subchannel *sub, int state)
                return;
        }
 
-       if (sub->dialer_sched) {
+       if (-1 < sub->dialer_sched) {
                skinny_sched_del(sub->dialer_sched, sub);
                sub->dialer_sched = -1;
        }
 
-       if (state != SUBSTATE_RINGIN && sub->aa_sched) {
+       if (state != SUBSTATE_RINGIN && -1 < sub->aa_sched) {
                skinny_sched_del(sub->aa_sched, sub);
                sub->aa_sched = -1;
                sub->aa_beep = 0;
@@ -5635,7 +5635,7 @@ static int handle_keypad_button_message(struct skinny_req *req, struct skinnyses
        }
 
        if ((sub->owner && ast_channel_state(sub->owner) <  AST_STATE_UP)) {
-               if (sub->dialer_sched &&        !skinny_sched_del(sub->dialer_sched, sub)) {
+               if (-1 < sub->dialer_sched && !skinny_sched_del(sub->dialer_sched, sub)) {
                        SKINNY_DEBUG(DEBUG_SUB, 3, "Sub %d - Got a digit and not timed out, so try dialing\n", sub->callid);
                        sub->dialer_sched = -1;
                        len = strlen(sub->exten);
@@ -6519,7 +6519,7 @@ static int handle_soft_key_event_message(struct skinny_req *req, struct skinnyse
        case SOFTKEY_BKSPC:
                SKINNY_DEBUG(DEBUG_PACKET, 3, "Received SOFTKEY_BKSPC from %s, inst %d, callref %d\n",
                        d->name, instance, callreference);
-               if (sub->dialer_sched && !skinny_sched_del(sub->dialer_sched, sub)) {
+               if (-1 < sub->dialer_sched && !skinny_sched_del(sub->dialer_sched, sub)) {
                        size_t len;
                        sub->dialer_sched = -1;
                        len = strlen(sub->exten);

diff --git a/channels/sip/config_parser.c b/channels/sip/config_parser.c
index fe34283afb1efefc7c0a3a3f5c2f52d679cb5c21..b2c91d13d2289aa54bbc4ab03284974c128e7b2a 100644 (file)
--- a/channels/sip/config_parser.c
+++ b/channels/sip/config_parser.c
@@ -79,13 +79,17 @@ int sip_parse_register_line(struct sip_registry *reg, int default_expiry, const
                AST_APP_ARG(port);
        );
 
-       if (!value) {
+       if (!reg) {
                return -1;
        }
 
-       if (!reg) {
+       reg->expire = -1;
+       reg->timeout = -1;
+
+       if (!value) {
                return -1;
        }
+
        ast_copy_string(buf, value, sizeof(buf));
 
        /*! register => [peer?][transport://]user[@domain][:secret[:authuser]]@host[:port][/extension][~expiry]
@@ -261,7 +265,6 @@ int sip_parse_register_line(struct sip_registry *reg, int default_expiry, const
        ast_string_field_set(reg, regdomain, ast_strip_quoted(S_OR(user2.domain, ""), "\"", "\""));
 
        reg->transport = transport;
-       reg->timeout = reg->expire = -1;
        reg->portno = portnum;
        reg->regdomainport = domainport;
        reg->callid_valid = FALSE;

diff --git a/main/channel.c b/main/channel.c
index b623fd53ade60cfae6eebc0bb6f28cc3daafaa58..09fbe5d82f7f33cc8c952334c948d877031d2c18 100644 (file)
--- a/main/channel.c
+++ b/main/channel.c
@@ -1049,6 +1049,7 @@ __ast_channel_alloc_ap(int needqueue, int state, const char *cid_num, const char
        ast_channel_state_set(tmp, state);
 
        ast_channel_streamid_set(tmp, -1);
+       ast_channel_vstreamid_set(tmp, -1);
 
        ast_channel_fin_set(tmp, global_fin);
        ast_channel_fout_set(tmp, global_fout);

diff --git a/pbx/pbx_dundi.c b/pbx/pbx_dundi.c
index ba1e8e5b8896f8bb534fdb8a4d1d51322e1b96db..83ffb8f3231dfda58eaeb5b442f4aa529380d51d 100644 (file)
--- a/pbx/pbx_dundi.c
+++ b/pbx/pbx_dundi.c
@@ -3256,6 +3256,7 @@ static int dundi_send(struct dundi_transaction *trans, int cmdresp, int flags, i
        pack = ast_calloc(1, len);
        if (pack) {
                pack->h = (struct dundi_hdr *)(pack->data);
+               pack->retransid = -1;
                if (cmdresp != DUNDI_COMMAND_ACK) {
                        pack->retransid = ast_sched_add(sched, trans->retranstimer, dundi_rexmit, pack);
                        pack->retrans = DUNDI_DEFAULT_RETRANS - 1;