app_queue: crash if first agent is "busy"
authorKevin Harwell <kharwell@digium.com>
Wed, 6 Nov 2013 21:58:17 +0000 (21:58 +0000)
committerKevin Harwell <kharwell@digium.com>
Wed, 6 Nov 2013 21:58:17 +0000 (21:58 +0000)
If the first agent/member (via CLI "queue show") in a queue is "busy" (dnd,
circuit busy, etc...) and no agents answered then app_queue would crash.
This occurred because while the calling of agent(s) remained valid the channel
on "busy" agent would be set to NULL and then later dereferenced upon a second
"rna" function call.  The original intention of the code is to have only valid
"call attempt" objects (channels != NULL) checked while attempting to call
agent(s).  It does this by building a "call_next" list of valid "call attempt"
objects.  In the case of the "busy" agent subsequent builds of the valid "call
attempt" list would sometimes include (the case mentioned above) an invalid
"call attempt" object.

The fix was to make sure the "call attempt" list was appropriately built on
every iteration.  A NULL sanity check was also added at the original offending
spot of the crash just in case another one slipped by somehow.

(closes issue ASTERISK-22644)
Reported by: Marco Signorini
Review: https://reviewboard.asterisk.org/r/2983/
........

Merged revisions 402517 from http://svn.asterisk.org/svn/asterisk/branches/12

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@402518 65c4cc65-6c06-0410-ace0-fbb531ad65f3

apps/app_queue.c

index 522c602..a1e495e 100644 (file)
@@ -4467,6 +4467,8 @@ static struct callattempt *wait_for_answer(struct queue_ent *qe, struct callatte
                                                }
                                                prev = o;
                                        }
+                               } else if (prev) {
+                                       prev->call_next = NULL;
                                }
                                numlines++;
                        }
@@ -4927,7 +4929,9 @@ skip_frame:;
 
        if (!*to) {
                for (o = start; o; o = o->call_next) {
-                       rna(orig, qe, o->chan, o->interface, o->member->membername, 1);
+                       if (o->chan) {
+                               rna(orig, qe, o->chan, o->interface, o->member->membername, 1);
+                       }
                }
 
                publish_dial_end_event(qe->chan, outgoing, NULL, "NOANSWER");