bridge.c: NULL app causes crash during attended transfer

Due to a race condition there was a chance that during an attended transfer the
channel's application would return NULL. This, of course, would cause a crash
when attempting to access the memory. This patch retrieves the channel's app
at an earlier time in processing in hopes that the app name is available.
However, if it is not then "unknown" is used instead. Since some string value
is now always present the crash can no longer occur.

ASTERISK-24869 #close
Reported by: viniciusfontes
Review: https://gerrit.asterisk.org/#/c/133/

Change-Id: I5134b84c4524906d8148817719d76ffb306488ac

1 files changed, 6 insertions, 1 deletions

diff --git a/main/bridge.c b/main/bridge.c
index b1c42ff58..64ef12db8 100644
--- a/main/bridge.c
+++ b/main/bridge.c
@@ -4474,6 +4474,12 @@ enum ast_transfer_result ast_bridge_transfer_attended(struct ast_channel *to_tra
 	chan_bridged = to_transferee_bridge ? to_transferee : to_transfer_target;
 	chan_unbridged = to_transferee_bridge ? to_transfer_target : to_transferee;
 
+	/*
+	 * Race condition makes it possible for app to be NULL, so get the app prior to
+	 * transferring with a fallback of "unknown".
+	 */
+	app = ast_strdupa(ast_channel_appl(chan_unbridged) ?: "unknown");
+
 	{
 		int chan_count;
 		SCOPED_LOCK(lock, the_bridge, ast_bridge_lock, ast_bridge_unlock);
@@ -4515,7 +4521,6 @@ enum ast_transfer_result ast_bridge_transfer_attended(struct ast_channel *to_tra
 		goto end;
 	}
 
-	app = ast_strdupa(ast_channel_appl(chan_unbridged));
 	if (bridge_channel_internal_queue_attended_transfer(transferee, chan_unbridged)) {
 		res = AST_BRIDGE_TRANSFER_FAIL;
 		goto end;