From: Terry Wilson Date: Tue, 22 May 2012 16:17:46 +0000 (+0000) Subject: Resolve crash in subscribing for MWI notifications X-Git-Tag: 10.6.0-rc1~31 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72569b9159412bb6e97dd8e5f22a6f47fa0bf0ef;p=thirdparty%2Fasterisk.git Resolve crash in subscribing for MWI notifications ASTOBJ_UNREF sets the variable to NULL after unreffing it, so the variable should definitely not be used after that. To solve this in the two cases that affect subscribing for MWI notifications, we instead save the ref locally, and unref them in the error conditions. (closes issue ASTERISK-19827) Reported by: B. R Review: https://reviewboard.asterisk.org/r/1940/ ........ Merged revisions 367266 from http://svn.asterisk.org/svn/asterisk/branches/1.8 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@367267 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 0ad82d8559..3ca7faca16 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -12791,13 +12791,14 @@ static int __sip_subscribe_mwi_do(struct sip_subscription_mwi *mwi) /* If we have no DNS manager let's do a lookup */ if (!mwi->dnsmgr) { char transport[MAXHOSTNAMELEN]; + struct sip_subscription_mwi *saved; snprintf(transport, sizeof(transport), "_%s._%s", get_srv_service(mwi->transport), get_srv_protocol(mwi->transport)); mwi->us.ss.ss_family = get_address_family_filter(&bindaddr); /* Filter address family */ - ASTOBJ_REF(mwi); /* Add a ref for storing the mwi on the dnsmgr for updates */ - ast_dnsmgr_lookup_cb(mwi->hostname, &mwi->us, &mwi->dnsmgr, sip_cfg.srvlookup ? transport : NULL, on_dns_update_mwi, mwi); + saved = ASTOBJ_REF(mwi); + ast_dnsmgr_lookup_cb(mwi->hostname, &mwi->us, &mwi->dnsmgr, sip_cfg.srvlookup ? transport : NULL, on_dns_update_mwi, saved); if (!mwi->dnsmgr) { - ASTOBJ_UNREF(mwi, sip_subscribe_mwi_destroy); /* dnsmgr disabled, remove reference */ + ASTOBJ_UNREF(saved, sip_subscribe_mwi_destroy); /* dnsmgr disabled, remove reference */ } } @@ -30609,10 +30610,12 @@ static void sip_send_all_registers(void) static void sip_send_all_mwi_subscriptions(void) { ASTOBJ_CONTAINER_TRAVERSE(&submwil, 1, do { + struct sip_subscription_mwi *saved; ASTOBJ_WRLOCK(iterator); AST_SCHED_DEL(sched, iterator->resub); - if ((iterator->resub = ast_sched_add(sched, 1, sip_subscribe_mwi_do, ASTOBJ_REF(iterator))) < 0) { - ASTOBJ_UNREF(iterator, sip_subscribe_mwi_destroy); + saved = ASTOBJ_REF(iterator); + if ((iterator->resub = ast_sched_add(sched, 1, sip_subscribe_mwi_do, saved)) < 0) { + ASTOBJ_UNREF(saved, sip_subscribe_mwi_destroy); } ASTOBJ_UNLOCK(iterator); } while (0));