VECTOR: Passing parameters with side effects to macros is dangerous.
authorRichard Mudgett <rmudgett@digium.com>
Thu, 21 Jun 2018 21:39:45 +0000 (16:39 -0500)
committerRichard Mudgett <rmudgett@digium.com>
Thu, 21 Jun 2018 22:10:52 +0000 (16:10 -0600)
* Fix several instances where we were bumping a ref in the parameter and
then unrefing the object if it failed.  The way the AST_VECTOR_APPEND()
and AST_VECTOR_REPLACE() macros are implemented means if it fails the new
value was never evaluated.

Change-Id: I2847872a455b11ea7e5b7ce697c0a455a1d0ac9a

bridges/bridge_softmix.c
res/res_pjsip/pjsip_options.c
res/res_pjsip_history.c
res/res_pjsip_session.c
res/stasis/messaging.c

index 46b27f1..249985a 100644 (file)
@@ -2085,7 +2085,9 @@ static void remb_enable_collection(struct ast_bridge *bridge, struct ast_bridge_
                }
        }
 
-       if (AST_VECTOR_REPLACE(&softmix_data->remb_collectors, bridge_stream_position, ao2_bump(sc->remb_collector))) {
+       ao2_ref(sc->remb_collector, +1);
+       if (AST_VECTOR_REPLACE(&softmix_data->remb_collectors, bridge_stream_position,
+               sc->remb_collector)) {
                ao2_ref(sc->remb_collector, -1);
        }
 }
index 579f70e..5eaf9e8 100644 (file)
@@ -1530,10 +1530,11 @@ static int sip_options_endpoint_compositor_add_task(void *obj)
        ast_debug(3, "Adding endpoint compositor '%s' to AOR '%s'\n",
                task_data->endpoint_state_compositor->name, task_data->aor_options->name);
 
+       ao2_ref(task_data->endpoint_state_compositor, +1);
        if (AST_VECTOR_APPEND(&task_data->aor_options->compositors,
-               ao2_bump(task_data->endpoint_state_compositor))) {
+               task_data->endpoint_state_compositor)) {
                /* Failed to add so no need to update the endpoint status.  Nothing changed. */
-               ao2_cleanup(task_data->endpoint_state_compositor);
+               ao2_ref(task_data->endpoint_state_compositor, -1);
                return 0;
        }
 
index eed06ee..10bcd96 100644 (file)
@@ -1133,7 +1133,8 @@ static struct vector_history_t *filter_history(struct ast_cli_args *a)
                } else if (!res) {
                        continue;
                } else {
-                       if (AST_VECTOR_APPEND(output, ao2_bump(entry))) {
+                       ao2_bump(entry);
+                       if (AST_VECTOR_APPEND(output, entry)) {
                                ao2_cleanup(entry);
                        }
                }
index 49ab875..8b1012e 100644 (file)
@@ -250,7 +250,10 @@ struct ast_sip_session_media_state *ast_sip_session_media_state_clone(const stru
                struct ast_sip_session_media *session_media = AST_VECTOR_GET(&media_state->sessions, index);
                enum ast_media_type type = ast_stream_get_type(ast_stream_topology_get_stream(cloned->topology, index));
 
-               AST_VECTOR_REPLACE(&cloned->sessions, index, ao2_bump(session_media));
+               ao2_bump(session_media);
+               if (AST_VECTOR_REPLACE(&cloned->sessions, index, session_media)) {
+                       ao2_cleanup(session_media);
+               }
                if (ast_stream_get_state(ast_stream_topology_get_stream(cloned->topology, index)) != AST_STREAM_STATE_REMOVED &&
                        !cloned->default_session[type]) {
                        cloned->default_session[type] = session_media;
index 77a5874..a7716b8 100644 (file)
@@ -457,8 +457,9 @@ static struct message_subscription *get_or_create_subscription(struct ast_endpoi
                ao2_link(endpoint_subscriptions, sub);
        } else {
                ast_rwlock_wrlock(&tech_subscriptions_lock);
-               if (AST_VECTOR_APPEND(&tech_subscriptions, ao2_bump(sub))) {
-                       /* Release the ao2_bump that was for the vector and allocation references. */
+               ao2_ref(sub, +1);
+               if (AST_VECTOR_APPEND(&tech_subscriptions, sub)) {
+                       /* Release the refs that were for the vector and the allocation. */
                        ao2_ref(sub, -2);
                        sub = NULL;
                }