bridge.c: NULL app causes crash during attended transfer

Due to a race condition there was a chance that during an attended transfer the
channel's application would return NULL. This, of course, would cause a crash
when attempting to access the memory. This patch retrieves the channel's app
at an earlier time in processing in hopes that the app name is available.
However, if it is not then "unknown" is used instead. Since some string value
is now always present the crash can no longer occur.

ASTERISK-24869 #close
Reported by: viniciusfontes
Review:

Change-Id: I5134b84c4524906d8148817719d76ffb306488ac

diff --git a/main/bridge.c b/main/bridge.c
index be4088a3dc355a337c73b1520c76d6c53f317440..00ea6024d9e66fb1ccce7a10b8b6eb8910ee4dba 100644 (file)
--- a/main/bridge.c
+++ b/main/bridge.c
@@ -4486,6 +4486,12 @@ enum ast_transfer_result ast_bridge_transfer_attended(struct ast_channel *to_tra
        chan_bridged = to_transferee_bridge ? to_transferee : to_transfer_target;
        chan_unbridged = to_transferee_bridge ? to_transfer_target : to_transferee;
 
+       /*
+        * Race condition makes it possible for app to be NULL, so get the app prior to
+        * transferring with a fallback of "unknown".
+        */
+       app = ast_strdupa(ast_channel_appl(chan_unbridged) ?: "unknown");
+
        {
                int chan_count;
                SCOPED_LOCK(lock, the_bridge, ast_bridge_lock, ast_bridge_unlock);
@@ -4527,7 +4533,6 @@ enum ast_transfer_result ast_bridge_transfer_attended(struct ast_channel *to_tra
                goto end;
        }
 
-       app = ast_strdupa(ast_channel_appl(chan_unbridged));
        if (bridge_channel_internal_queue_attended_transfer(transferee, chan_unbridged)) {
                res = AST_BRIDGE_TRANSFER_FAIL;
                goto end;