chan_pjsip.c: Fix deadlock potential in fax redirection.

The chan_pjsip_cng_tone_detected() has the potential to deadlock if an
incoming fax happens during the Playback or similar application.

* Fixed the potential deadlock by not calling ast_async_goto() with the
channel lock held.

* Made always eat the fax detection frame whether there is a fax extension
or not.

ASTERISK-26216
Reported by: Richard Mudgett

Change-Id: I32aecbb4818af646dc5a619f0dc040e9b1f222e5

diff --git a/channels/chan_pjsip.c b/channels/chan_pjsip.c
index bbccb53a99bc9275046afaabca6f30f9aadad2cb..4d3f7b4efb2985fd07b4207ccad6b968dc60e469 100644 (file)
--- a/channels/chan_pjsip.c
+++ b/channels/chan_pjsip.c
@@ -628,16 +628,19 @@ static struct ast_frame *chan_pjsip_cng_tone_detected(struct ast_sip_session *se
 
        target_context = S_OR(ast_channel_macrocontext(session->channel), ast_channel_context(session->channel));
 
-       /* We need to unlock the channel here because ast_exists_extension has the
+       /*
+        * We need to unlock the channel here because ast_exists_extension has the
         * potential to start and stop an autoservice on the channel. Such action
         * is prone to deadlock if the channel is locked.
+        *
+        * ast_async_goto() has its own restriction on not holding the channel lock.
         */
        ast_channel_unlock(session->channel);
+       ast_frfree(f);
+       f = &ast_null_frame;
        exists = ast_exists_extension(session->channel, target_context, "fax", 1,
                S_COR(ast_channel_caller(session->channel)->id.number.valid,
                        ast_channel_caller(session->channel)->id.number.str, NULL));
-       ast_channel_lock(session->channel);
-
        if (exists) {
                ast_verb(2, "Redirecting '%s' to fax extension due to CNG detection\n",
                        ast_channel_name(session->channel));
@@ -646,12 +649,11 @@ static struct ast_frame *chan_pjsip_cng_tone_detected(struct ast_sip_session *se
                        ast_log(LOG_ERROR, "Failed to async goto '%s' into fax extension in '%s'\n",
                                ast_channel_name(session->channel), target_context);
                }
-               ast_frfree(f);
-               f = &ast_null_frame;
        } else {
                ast_log(LOG_NOTICE, "FAX CNG detected on '%s' but no fax extension in '%s'\n",
                        ast_channel_name(session->channel), target_context);
        }
+       ast_channel_lock(session->channel);
 
        return f;
 }