From: Matthew Jordan <mjordan@digium.com>
Date: Mon, 9 Apr 2012 20:54:55 +0000 (+0000)
Subject: Prevent invalid access of free'd memory if DAHDI channel during an MWI event
X-Git-Tag: 10.5.0-rc1~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3af9889927b44fdcbcb39e1fcc60fb56e4482ae0;p=thirdparty%2Fasterisk.git

Prevent invalid access of free'd memory if DAHDI channel during an MWI event

In the MWI processing loop, when a valid event occurs the temporary caller ID
information is deallocated.  If a new DAHDI channel is successfully created,
the event is passed up to the analog_ss_thread without error and the loop
exits.  If, however, the DAHDI channel is not created, then the caller ID
struct has been free'd, and the gains reset to their previous level.  This
will almost certainly cause an invalid access to the free'd memory, either
in subsequent calls to callerid_free or calls to callerid_feed.

This patch makes it so that we only free the caller ID structure if a
DAHDI channel is successfully created, and we bump the gains back up
if we fail to make a DAHDI channel.
........

Merged revisions 361705 from http://svn.asterisk.org/svn/asterisk/branches/1.8


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@361706 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/channels/chan_dahdi.c b/channels/chan_dahdi.c
index ba4d28ccb6..b1cb14b7c8 100644
--- a/channels/chan_dahdi.c
+++ b/channels/chan_dahdi.c
@@ -11142,13 +11142,14 @@ static void *mwi_thread(void *data)
 				break; /* What to do on channel alarm ???? -- fall thru intentionally?? */
 			default:
 				ast_log(LOG_NOTICE, "Got event %d (%s)...  Passing along to analog_ss_thread\n", res, event2str(res));
-				callerid_free(cs);
 
 				restore_gains(mtd->pvt);
 				mtd->pvt->ringt = mtd->pvt->ringt_base;
 
 				if ((chan = dahdi_new(mtd->pvt, AST_STATE_RING, 0, SUB_REAL, 0, NULL))) {
 					int result;
+
+					callerid_free(cs);
 					if (analog_lib_handles(mtd->pvt->sig, mtd->pvt->radio, mtd->pvt->oprmode)) {
 						result = analog_ss_thread_start(mtd->pvt->sig_pvt, chan);
 					} else {
@@ -11165,6 +11166,8 @@ static void *mwi_thread(void *data)
 					goto quit_no_clean;
 
 				} else {
+					/* Bump the gains back */
+					bump_gains(mtd->pvt);
 					ast_log(LOG_WARNING, "Could not create channel to handle call\n");
 				}
 			}