From: Alexei Gradinari Date: Fri, 2 Oct 2020 19:32:29 +0000 (-0400) Subject: sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data X-Git-Tag: 19.0.0-rc1~278 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc7eb72f6544e021f9d3dd36f542118130c503b6;p=thirdparty%2Fasterisk.git sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data The data can be freed if the old object '_data' is the same object as new 'data'. Because at first the object is unreferenced which can lead to destroying it. This could happened in res_pjsip_pubsub when the publication is updated which could lead to segfault in function publish_expire. Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da --- diff --git a/include/asterisk/sched.h b/include/asterisk/sched.h index 7ea6709adb..60a6605630 100644 --- a/include/asterisk/sched.h +++ b/include/asterisk/sched.h @@ -136,11 +136,12 @@ extern "C" { while (id > -1 && (_res = ast_sched_del(sched, id) && _count++ < 10)) { \ usleep(1); \ } \ - if (!_res && _data) \ + if (!_res && _data && _data != data) \ unrefcall; /* should ref _data! */ \ if (_count == 10) \ ast_log(LOG_WARNING, "Unable to cancel schedule ID %d. This is probably a bug (%s: %s, line %d).\n", id, __FILE__, __PRETTY_FUNCTION__, __LINE__); \ - refcall; \ + if (_data != data) \ + refcall; \ id = ast_sched_add_variable(sched, when, callback, data, variable); \ if (id == -1) \ addfailcall; \