From cddc244c97c613d61f586eae9f814d25ff32f061 Mon Sep 17 00:00:00 2001 From: David Vossel Date: Fri, 14 May 2010 18:53:55 +0000 Subject: [PATCH] fix iax_frame double free Very unfortunate things happen if we add an iax_frame to the frame queue and let go of the lock before scheduling the frame's transmit... There is a race condition that exists where the frame can be removed from the frame_queue and freed before the transmit is scheduled if we do not hold on to that lock. This results in a freed frame being scheduled for transmit later. git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@263151 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_iax2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 2d778e514b..30f9d721a2 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -4125,9 +4125,9 @@ static int transmit_frame(void *data) } else { /* We need reliable delivery. Schedule a retransmission */ AST_LIST_INSERT_TAIL(&frame_queue[fr->callno], fr, list); - ast_mutex_unlock(&iaxsl[fr->callno]); fr->retries++; fr->retrans = iax2_sched_add(sched, fr->retrytime, attempt_transmit, fr); + ast_mutex_unlock(&iaxsl[fr->callno]); } return 0; -- 2.47.2