From 56a2baa21dd1b1ac0af08ae939deaa9a1eecbc5a Mon Sep 17 00:00:00 2001 From: Kevin Harwell Date: Thu, 16 Apr 2015 10:51:50 -0500 Subject: [PATCH] bridge.c: NULL app causes crash during attended transfer Due to a race condition there was a chance that during an attended transfer the channel's application would return NULL. This, of course, would cause a crash when attempting to access the memory. This patch retrieves the channel's app at an earlier time in processing in hopes that the app name is available. However, if it is not then "unknown" is used instead. Since some string value is now always present the crash can no longer occur. ASTERISK-24869 #close Reported by: viniciusfontes Review: https://gerrit.asterisk.org/#/c/133/ Change-Id: I5134b84c4524906d8148817719d76ffb306488ac --- main/bridge.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/main/bridge.c b/main/bridge.c index b1c42ff586..64ef12db85 100644 --- a/main/bridge.c +++ b/main/bridge.c @@ -4474,6 +4474,12 @@ enum ast_transfer_result ast_bridge_transfer_attended(struct ast_channel *to_tra chan_bridged = to_transferee_bridge ? to_transferee : to_transfer_target; chan_unbridged = to_transferee_bridge ? to_transfer_target : to_transferee; + /* + * Race condition makes it possible for app to be NULL, so get the app prior to + * transferring with a fallback of "unknown". + */ + app = ast_strdupa(ast_channel_appl(chan_unbridged) ?: "unknown"); + { int chan_count; SCOPED_LOCK(lock, the_bridge, ast_bridge_lock, ast_bridge_unlock); @@ -4515,7 +4521,6 @@ enum ast_transfer_result ast_bridge_transfer_attended(struct ast_channel *to_tra goto end; } - app = ast_strdupa(ast_channel_appl(chan_unbridged)); if (bridge_channel_internal_queue_attended_transfer(transferee, chan_unbridged)) { res = AST_BRIDGE_TRANSFER_FAIL; goto end; -- 2.47.2