From da0f2ea99e178b958e1371484e6b115e3e3e3da7 Mon Sep 17 00:00:00 2001 From: Alexei Gradinari Date: Fri, 2 Oct 2020 15:32:29 -0400 Subject: [PATCH] sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data The data can be freed if the old object '_data' is the same object as new 'data'. Because at first the object is unreferenced which can lead to destroying it. This could happened in res_pjsip_pubsub when the publication is updated which could lead to segfault in function publish_expire. Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da --- include/asterisk/sched.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/asterisk/sched.h b/include/asterisk/sched.h index 7ea6709adb..60a6605630 100644 --- a/include/asterisk/sched.h +++ b/include/asterisk/sched.h @@ -136,11 +136,12 @@ extern "C" { while (id > -1 && (_res = ast_sched_del(sched, id) && _count++ < 10)) { \ usleep(1); \ } \ - if (!_res && _data) \ + if (!_res && _data && _data != data) \ unrefcall; /* should ref _data! */ \ if (_count == 10) \ ast_log(LOG_WARNING, "Unable to cancel schedule ID %d. This is probably a bug (%s: %s, line %d).\n", id, __FILE__, __PRETTY_FUNCTION__, __LINE__); \ - refcall; \ + if (_data != data) \ + refcall; \ id = ast_sched_add_variable(sched, when, callback, data, variable); \ if (id == -1) \ addfailcall; \ -- 2.47.2