Fix potential crashes during SIP attended transfers.
authorMark Michelson <mmichelson@digium.com>
Fri, 30 Nov 2012 16:56:53 +0000 (16:56 +0000)
committerMark Michelson <mmichelson@digium.com>
Fri, 30 Nov 2012 16:56:53 +0000 (16:56 +0000)
The principal behind this patch is simple. During a transfer,
we manipulate channels that are owned by a separate thread than
the one we currently are running in, so it makes sense that we
need to grab a reference to the channels so that they cannot
disappear out from under us.

In the wild, crashes were sometimes seen when the transferring
party would hang up the call before the transfer target answered
the call. The most common place to see the crash occur was when
attempting to send a connected line update to the transferer
channel.

(closes issue ASTERISK-20226)
Reported by Jared Smith
Patches:
ASTERISK-20226.patch uploaded by Mark Michelson (License #5049)
Tested by: Jared Smith
........

Merged revisions 376901 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 376916 from http://svn.asterisk.org/svn/asterisk/branches/10
........

Merged revisions 376917 from http://svn.asterisk.org/svn/asterisk/branches/11

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@376918 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_sip.c

index 30177d1..9c797d6 100644 (file)
@@ -25817,8 +25817,11 @@ static int local_attended_transfer(struct sip_pvt *transferer, struct sip_dual *
        }
 
        /* We have a channel, find the bridge */
-       target.chan1 = targetcall_pvt->owner;                           /* Transferer to Asterisk */
+       target.chan1 = ast_channel_ref(targetcall_pvt->owner);                          /* Transferer to Asterisk */
        target.chan2 = ast_bridged_channel(targetcall_pvt->owner);      /* Asterisk to target */
+       if (target.chan2) {
+               ast_channel_ref(target.chan2);
+       }
 
        if (!target.chan2 || !(ast_channel_state(target.chan2) == AST_STATE_UP || ast_channel_state(target.chan2) == AST_STATE_RINGING) ) {
                /* Wrong state of new channel */
@@ -25960,6 +25963,10 @@ static int local_attended_transfer(struct sip_pvt *transferer, struct sip_dual *
        /* at this point if the transfer is successful only the transferer pvt should be locked. */
        ast_party_connected_line_free(&connected_to_target);
        ast_party_connected_line_free(&connected_to_transferee);
+       ast_channel_unref(target.chan1);
+       if (target.chan2) {
+               ast_channel_unref(target.chan2);
+       }
        if (targetcall_pvt)
                ao2_t_ref(targetcall_pvt, -1, "drop targetcall_pvt");
        return 1;