sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data

The data can be freed if the old object '_data' is the same object as
new 'data'. Because at first the object is unreferenced which can lead
to destroying it.

This could happened in res_pjsip_pubsub when the publication is updated
which could lead to segfault in function publish_expire.

Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da

diff --git a/include/asterisk/sched.h b/include/asterisk/sched.h
index 7ea6709adb308abfa794abfb44b2cdb746ee278a..60a6605630e522402d77540c6bf9b81894582b20 100644 (file)
--- a/include/asterisk/sched.h
+++ b/include/asterisk/sched.h
@@ -136,11 +136,12 @@ extern "C" {
                while (id > -1 && (_res = ast_sched_del(sched, id) && _count++ < 10)) { \
                        usleep(1); \
                } \
-               if (!_res && _data)                                                     \
+               if (!_res && _data && _data != data)                                    \
                        unrefcall;      /* should ref _data! */         \
                if (_count == 10) \
                        ast_log(LOG_WARNING, "Unable to cancel schedule ID %d.  This is probably a bug (%s: %s, line %d).\n", id, __FILE__, __PRETTY_FUNCTION__, __LINE__); \
-               refcall; \
+               if (_data != data) \
+                       refcall; \
                id = ast_sched_add_variable(sched, when, callback, data, variable); \
                if (id == -1)  \
                        addfailcall;    \