fix iax_frame double free

Very unfortunate things happen if we add an iax_frame
to the frame queue and let go of the lock before scheduling
the frame's transmit... There is a race condition that
exists where the frame can be removed from the frame_queue
and freed before the transmit is scheduled if we do not
hold on to that lock.  This results in a freed frame
being scheduled for transmit later.

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@263151 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 2d778e5..30f9d72 100644 (file)
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -4125,9 +4125,9 @@ static int transmit_frame(void *data)
        } else {
                /* We need reliable delivery.  Schedule a retransmission */
                AST_LIST_INSERT_TAIL(&frame_queue[fr->callno], fr, list);
-               ast_mutex_unlock(&iaxsl[fr->callno]);
                fr->retries++;
                fr->retrans = iax2_sched_add(sched, fr->retrytime, attempt_transmit, fr);
+               ast_mutex_unlock(&iaxsl[fr->callno]);
        }
 
        return 0;