From: David Vossel <dvossel@digium.com>
Date: Fri, 18 Sep 2009 23:19:50 +0000 (+0000)
Subject: iax2 frame double free
X-Git-Tag: 1.4.27-rc2~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a3504f74bbee7d368e6ab3ad9eb3a7c88ae7ccb;p=thirdparty%2Fasterisk.git

iax2 frame double free

The iax frame's retrans sched id was written over right
before iax2_frame_free was called.  In iax2_frame_free that
retrans id is used to delete the sched item.  By writing over
the retrans field before the sched item could be deleted, it was
possible for a retransmit to occur on a freed frame.



git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@219519 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index e834c06c9b..caf39cb1b5 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -3064,7 +3064,6 @@ static void __attempt_transmit(const void *data)
 		AST_LIST_REMOVE(&iaxq.queue, f, list);
 		iaxq.count--;
 		AST_LIST_UNLOCK(&iaxq.queue);
-		f->retrans = -1;
 		/* Free the IAX frame */
 		iax2_frame_free(f);
 	}