Prevent a potential race condition and crash when hanging up a channel by removing...

This fix may potentially cause problems with CDR backends that access the channel a CDR is associated with via the channel list.  This fix makes the channel unavabile at the time when the CDR backend is invoked.  This has been documented in include/asterisk/cdr.h.

(closes issue #15316)
Reported by: vmarrone
Tested by: mnicholson

Review: https://reviewboard.asterisk.org/r/362/

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@219136 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/include/asterisk/cdr.h b/include/asterisk/cdr.h
index 3d576b712b5e5c453e493aa7edb6de6acb4cb218..738292e98308b271bc026a2d0344bc4aad496435 100644 (file)
--- a/include/asterisk/cdr.h
+++ b/include/asterisk/cdr.h
@@ -112,6 +112,11 @@ int ast_cdr_serialize_variables(struct ast_cdr *cdr, char *buf, size_t size, cha
 void ast_cdr_free_vars(struct ast_cdr *cdr, int recur);
 int ast_cdr_copy_vars(struct ast_cdr *to_cdr, struct ast_cdr *from_cdr);
 
+/*!\brief CDR backend callback
+ * \warning CDR backends should NOT attempt to access the channel associated
+ * with a CDR record.  This channel is not guaranteed to exist when the CDR
+ * backend is invoked.
+ */
 typedef int (*ast_cdrbe)(struct ast_cdr *cdr);
 
 /*! \brief Allocate a CDR record 

diff --git a/include/asterisk/channel.h b/include/asterisk/channel.h
index 92c86fca5eca98baad9cb11797b8961f396ddbf5..2a835c96c9629831a37b999356781d608bc96721 100644 (file)
--- a/include/asterisk/channel.h
+++ b/include/asterisk/channel.h
@@ -515,6 +515,8 @@ enum {
         *  bridge terminates, this will allow the hangup in the pbx loop to be run instead.
         *  */
        AST_FLAG_BRIDGE_HANGUP_DONT = (1 << 17),
+       /*! This flag indicates whether the channel is in the channel list or not. */
+       AST_FLAG_IN_CHANNEL_LIST = (1 << 19),
 };
 
 /*! \brief ast_bridge_config flags */

diff --git a/main/channel.c b/main/channel.c
index db4fd62c8d6300abc35756d6f51ab26c6959d31b..a674e0a16b67291b7452442586f37022aacab1af 100644 (file)
--- a/main/channel.c
+++ b/main/channel.c
@@ -868,6 +868,8 @@ alertpipe_failed:
 
        tmp->tech = &null_tech;
 
+       ast_set_flag(tmp, AST_FLAG_IN_CHANNEL_LIST);
+
        AST_LIST_LOCK(&channels);
        AST_LIST_INSERT_HEAD(&channels, tmp, chan_list);
        AST_LIST_UNLOCK(&channels);
@@ -1247,17 +1249,22 @@ void ast_channel_free(struct ast_channel *chan)
        struct varshead *headp;
        struct ast_datastore *datastore = NULL;
        char name[AST_CHANNEL_NAME], *dashptr;
+       int inlist;
        
        headp=&chan->varshead;
        
-       AST_LIST_LOCK(&channels);
-       if (!AST_LIST_REMOVE(&channels, chan, chan_list)) {
-               ast_log(LOG_ERROR, "Unable to find channel in list to free. Assuming it has already been done.\n");
+       inlist = ast_test_flag(chan, AST_FLAG_IN_CHANNEL_LIST);
+       if (inlist) {
+               AST_LIST_LOCK(&channels);
+               if (!AST_LIST_REMOVE(&channels, chan, chan_list)) {
+                       if (option_debug)
+                               ast_log(LOG_DEBUG, "Unable to find channel in list to free. Assuming it has already been done.\n");
+               }
+               /* Lock and unlock the channel just to be sure nobody has it locked still
+                  due to a reference retrieved from the channel list. */
+               ast_channel_lock(chan);
+               ast_channel_unlock(chan);
        }
-       /* Lock and unlock the channel just to be sure nobody has it locked still
-          due to a reference retrieved from the channel list. */
-       ast_channel_lock(chan);
-       ast_channel_unlock(chan);
 
        /* Get rid of each of the data stores on the channel */
        while ((datastore = AST_LIST_REMOVE_HEAD(&chan->datastores, entry)))
@@ -1328,7 +1335,8 @@ void ast_channel_free(struct ast_channel *chan)
 
        ast_string_field_free_memory(chan);
        free(chan);
-       AST_LIST_UNLOCK(&channels);
+       if (inlist)
+               AST_LIST_UNLOCK(&channels);
 
        ast_device_state_changed_literal(name);
 }
@@ -1515,6 +1523,16 @@ int ast_hangup(struct ast_channel *chan)
                ast_channel_unlock(chan);
                return 0;
        }
+       ast_channel_unlock(chan);
+
+       AST_LIST_LOCK(&channels);
+       if (!AST_LIST_REMOVE(&channels, chan, chan_list)) {
+               ast_log(LOG_ERROR, "Unable to find channel in list to free. Assuming it has already been done.\n");
+       }
+       ast_clear_flag(chan, AST_FLAG_IN_CHANNEL_LIST);
+       AST_LIST_UNLOCK(&channels);
+
+       ast_channel_lock(chan);
        free_translation(chan);
        /* Close audio stream */
        if (chan->stream) {