From c19139538112dcd107a3f1eab98006e366dfb30b Mon Sep 17 00:00:00 2001 From: Terry Wilson Date: Tue, 22 May 2012 16:14:16 +0000 Subject: [PATCH] Resolve crash in subscribing for MWI notifications ASTOBJ_UNREF sets the variable to NULL after unreffing it, so the variable should definitely not be used after that. To solve this in the two cases that affect subscribing for MWI notifications, we instead save the ref locally, and unref them in the error conditions. (closes issue ASTERISK-19827) Reported by: B. R Review: https://reviewboard.asterisk.org/r/1940/ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@367266 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_sip.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/channels/chan_sip.c b/channels/chan_sip.c index baba511da3..707f7b5fbb 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -12421,13 +12421,14 @@ static int __sip_subscribe_mwi_do(struct sip_subscription_mwi *mwi) /* If we have no DNS manager let's do a lookup */ if (!mwi->dnsmgr) { char transport[MAXHOSTNAMELEN]; + struct sip_subscription_mwi *saved; snprintf(transport, sizeof(transport), "_%s._%s", get_srv_service(mwi->transport), get_srv_protocol(mwi->transport)); mwi->us.ss.ss_family = get_address_family_filter(&bindaddr); /* Filter address family */ - ASTOBJ_REF(mwi); /* Add a ref for storing the mwi on the dnsmgr for updates */ - ast_dnsmgr_lookup_cb(mwi->hostname, &mwi->us, &mwi->dnsmgr, sip_cfg.srvlookup ? transport : NULL, on_dns_update_mwi, mwi); + saved = ASTOBJ_REF(mwi); + ast_dnsmgr_lookup_cb(mwi->hostname, &mwi->us, &mwi->dnsmgr, sip_cfg.srvlookup ? transport : NULL, on_dns_update_mwi, saved); if (!mwi->dnsmgr) { - ASTOBJ_UNREF(mwi, sip_subscribe_mwi_destroy); /* dnsmgr disabled, remove reference */ + ASTOBJ_UNREF(saved, sip_subscribe_mwi_destroy); /* dnsmgr disabled, remove reference */ } } @@ -29687,10 +29688,12 @@ static void sip_send_all_registers(void) static void sip_send_all_mwi_subscriptions(void) { ASTOBJ_CONTAINER_TRAVERSE(&submwil, 1, do { + struct sip_subscription_mwi *saved; ASTOBJ_WRLOCK(iterator); AST_SCHED_DEL(sched, iterator->resub); - if ((iterator->resub = ast_sched_add(sched, 1, sip_subscribe_mwi_do, ASTOBJ_REF(iterator))) < 0) { - ASTOBJ_UNREF(iterator, sip_subscribe_mwi_destroy); + saved = ASTOBJ_REF(iterator); + if ((iterator->resub = ast_sched_add(sched, 1, sip_subscribe_mwi_do, saved)) < 0) { + ASTOBJ_UNREF(saved, sip_subscribe_mwi_destroy); } ASTOBJ_UNLOCK(iterator); } while (0)); -- 2.47.2