Prevent crash in ConfBridge due to race condition when channels leave bridge

When a channel leaves a bridge, a race condition existed where the
bridge_channel's pvt structure would be accessed after it was disposed of.
This patch prevents that by setting the pointer to the pvt to NULL prior
to disposing of it.

Note that this patch is a backport from Asterisk 10. This particular race
condition was fixed as part of the larger code rework that occurred for that
release.

The solution to this problem was pointed out by Gunnar Harms in ASTERISK-16640.

(closes issue ASTERISK-16640)
Reported by: thomas987

(closes issue ASTERISK-16835)
Reported by: saghul

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@379091 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/bridges/bridge_softmix.c b/bridges/bridge_softmix.c
index 31f579334b9a6aefb2cff338728f1e6eca06fdf9..a6ee88cdd4757b31b6baf7a458d9247a9dd3e716 100644 (file)
--- a/bridges/bridge_softmix.c
+++ b/bridges/bridge_softmix.c
@@ -149,6 +149,11 @@ static int softmix_bridge_leave(struct ast_bridge *bridge, struct ast_bridge_cha
 {
        struct softmix_channel *sc = bridge_channel->bridge_pvt;
 
+       if (!(bridge_channel->bridge_pvt)) {
+               return 0;
+       }
+       bridge_channel->bridge_pvt = NULL;
+
        /* Drop mutex lock */
        ast_mutex_destroy(&sc->lock);