Prevent invalid access of free'd memory if DAHDI channel during an MWI event
authorMatthew Jordan <mjordan@digium.com>
Mon, 9 Apr 2012 20:55:53 +0000 (20:55 +0000)
committerMatthew Jordan <mjordan@digium.com>
Mon, 9 Apr 2012 20:55:53 +0000 (20:55 +0000)
In the MWI processing loop, when a valid event occurs the temporary caller ID
information is deallocated.  If a new DAHDI channel is successfully created,
the event is passed up to the analog_ss_thread without error and the loop
exits.  If, however, the DAHDI channel is not created, then the caller ID
struct has been free'd, and the gains reset to their previous level.  This
will almost certainly cause an invalid access to the free'd memory, either
in subsequent calls to callerid_free or calls to callerid_feed.

This patch makes it so that we only free the caller ID structure if a
DAHDI channel is successfully created, and we bump the gains back up
if we fail to make a DAHDI channel.
........

Merged revisions 361705 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 361706 from http://svn.asterisk.org/svn/asterisk/branches/10

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@361707 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_dahdi.c

index 84a7025..10ce9b5 100644 (file)
@@ -11166,13 +11166,14 @@ static void *mwi_thread(void *data)
                                break; /* What to do on channel alarm ???? -- fall thru intentionally?? */
                        default:
                                ast_log(LOG_NOTICE, "Got event %d (%s)...  Passing along to analog_ss_thread\n", res, event2str(res));
-                               callerid_free(cs);
 
                                restore_gains(mtd->pvt);
                                mtd->pvt->ringt = mtd->pvt->ringt_base;
 
                                if ((chan = dahdi_new(mtd->pvt, AST_STATE_RING, 0, SUB_REAL, 0, NULL))) {
                                        int result;
+
+                                       callerid_free(cs);
                                        if (analog_lib_handles(mtd->pvt->sig, mtd->pvt->radio, mtd->pvt->oprmode)) {
                                                result = analog_ss_thread_start(mtd->pvt->sig_pvt, chan);
                                        } else {
@@ -11189,6 +11190,8 @@ static void *mwi_thread(void *data)
                                        goto quit_no_clean;
 
                                } else {
+                                       /* Bump the gains back */
+                                       bump_gains(mtd->pvt);
                                        ast_log(LOG_WARNING, "Could not create channel to handle call\n");
                                }
                        }