From: David Vossel <dvossel@digium.com>
Date: Mon, 9 Nov 2009 22:18:23 +0000 (+0000)
Subject: fixes segfault when transferring a queue caller
X-Git-Tag: 1.6.1.10-rc3~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bac2f04b1adc003333fa5f2c617a6c0faec6da52;p=thirdparty%2Fasterisk.git

fixes segfault when transferring a queue caller

In sip_hangup we attempted to lock p->owner after we set it to NULL.
Thanks to fhackenberger for reporting the issue and submitting a patch.

(closes issue 0015848)
Reported by: fhackenberger
Patches:
      digium_bug_0015848 uploaded by fhackenberger (license 592)
Tested by: fhackenberger, lmadsen, TomS, shin-shoryuken, dvossel



git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.1@229014 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 0ea34dac34..cdcab19854 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -5674,15 +5674,12 @@ static int sip_hangup(struct ast_channel *ast)
 				 * to lock the bridge. This may get hairy...
 				 */
 				while (bridge && ast_channel_trylock(bridge)) {
-					struct ast_channel *chan = p->owner;
 					sip_pvt_unlock(p);
 					do {
-						/* Use chan since p->owner could go NULL on us
-						 * while p is unlocked
-						 */
-						CHANNEL_DEADLOCK_AVOIDANCE(chan);
+						/* Use oldowner since p->owner is already NULL */
+						CHANNEL_DEADLOCK_AVOIDANCE(oldowner);
 					} while (sip_pvt_trylock(p));
-					bridge = p->owner ? ast_bridged_channel(p->owner) : NULL;
+					bridge = ast_bridged_channel(oldowner);
 				}
 
 				if (p->rtp)