From: David Vossel Date: Fri, 14 May 2010 18:53:55 +0000 (+0000) Subject: fix iax_frame double free X-Git-Tag: 11.0.0-beta1~3030 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cddc244c97c613d61f586eae9f814d25ff32f061;p=thirdparty%2Fasterisk.git fix iax_frame double free Very unfortunate things happen if we add an iax_frame to the frame queue and let go of the lock before scheduling the frame's transmit... There is a race condition that exists where the frame can be removed from the frame_queue and freed before the transmit is scheduled if we do not hold on to that lock. This results in a freed frame being scheduled for transmit later. git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@263151 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 2d778e514b..30f9d721a2 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -4125,9 +4125,9 @@ static int transmit_frame(void *data) } else { /* We need reliable delivery. Schedule a retransmission */ AST_LIST_INSERT_TAIL(&frame_queue[fr->callno], fr, list); - ast_mutex_unlock(&iaxsl[fr->callno]); fr->retries++; fr->retrans = iax2_sched_add(sched, fr->retrytime, attempt_transmit, fr); + ast_mutex_unlock(&iaxsl[fr->callno]); } return 0;