From: David Vossel <dvossel@digium.com>
Date: Fri, 18 Sep 2009 23:22:11 +0000 (+0000)
Subject: Merged revisions 219520 via svnmerge from
X-Git-Tag: 1.6.1.7-rc2~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16c81690bae2f15476e358cb2cbd76ab8b78cde0;p=thirdparty%2Fasterisk.git

Merged revisions 219520 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
  r219520 | dvossel | 2009-09-18 18:20:58 -0500 (Fri, 18 Sep 2009) | 15 lines

  Merged revisions 219519 via svnmerge from
  https://origsvn.digium.com/svn/asterisk/branches/1.4

  ........
    r219519 | dvossel | 2009-09-18 18:19:50 -0500 (Fri, 18 Sep 2009) | 9 lines

    iax2 frame double free

    The iax frame's retrans sched id was written over right
    before iax2_frame_free was called.  In iax2_frame_free that
    retrans id is used to delete the sched item.  By writing over
    the retrans field before the sched item could be deleted, it was
    possible for a retransmit to occur on a freed frame.
  ........
................


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.1@219522 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 35665e27b2..4d9dd9ba9c 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -1545,6 +1545,7 @@ static void iax2_destroy_helper(struct chan_iax2_pvt *pvt)
 static void iax2_frame_free(struct iax_frame *fr)
 {
 	AST_SCHED_DEL(sched, fr->retrans);
+	fr->retrans = -1;
 	iax_frame_free(fr);
 }
 
@@ -3218,7 +3219,6 @@ static void __attempt_transmit(const void *data)
 		AST_LIST_LOCK(&frame_queue);
 		AST_LIST_REMOVE(&frame_queue, f, list);
 		AST_LIST_UNLOCK(&frame_queue);
-		f->retrans = -1;
 		/* Free the IAX frame */
 		iax2_frame_free(f);
 	}