From: Matthew Jordan Date: Wed, 8 Apr 2015 11:59:10 +0000 (+0000) Subject: chan_iax2: Fix crash caused by unprotected access to iaxs[peer->callno] X-Git-Tag: 11.18.0-rc1~68 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e61628db7b82eea197d1c607aaf0999cc9acd033;p=thirdparty%2Fasterisk.git chan_iax2: Fix crash caused by unprotected access to iaxs[peer->callno] This patch fixes an access to the peer callnumber that is unprotected by a corresponding mutex. The peer->callno value can be changed by multiple threads, and all data inside the iaxs array must be procted by a corresponding lock of iaxsl. The patch moves the unprotected access to a location where the mutex is safely obtained. Review: https://reviewboard.asterisk.org/r/4599/ ASTERISK-21211 #close Reported by: Jaco Kroon patches: asterisk-11.2.1-iax2_poke-segfault.diff submitted by Jaco Kroon (License 5671) git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@434291 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 71a923bd07..7dcc64da9e 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -12447,15 +12447,11 @@ static int iax2_poke_peer(struct iax2_peer *peer, int heldcall) callno = peer->callno = find_callno(0, 0, &peer_addr, NEW_FORCE, peer->sockfd, 0); if (heldcall) ast_mutex_lock(&iaxsl[heldcall]); - if (peer->callno < 1) { + if (callno < 1) { ast_log(LOG_WARNING, "Unable to allocate call for poking peer '%s'\n", peer->name); return -1; } - /* Speed up retransmission times for this qualify call */ - iaxs[peer->callno]->pingtime = peer->maxms / 4 + 1; - iaxs[peer->callno]->peerpoke = peer; - if (peer->pokeexpire > -1) { if (!AST_SCHED_DEL(sched, peer->pokeexpire)) { peer->pokeexpire = -1; @@ -12476,6 +12472,10 @@ static int iax2_poke_peer(struct iax2_peer *peer, int heldcall) /* And send the poke */ ast_mutex_lock(&iaxsl[callno]); if (iaxs[callno]) { + /* Speed up retransmission times for this qualify call */ + iaxs[callno]->pingtime = peer->maxms / 4 + 1; + iaxs[callno]->peerpoke = peer; + struct iax_ie_data ied = { .buf = { 0 }, .pos = 0,