diff options
| author | Matthew Jordan <mjordan@digium.com> | 2012-04-09 20:55:53 +0000 |
|---|---|---|
| committer | Matthew Jordan <mjordan@digium.com> | 2012-04-09 20:55:53 +0000 |
| commit | 97f813f3a47c7a808fea1c0b978eda14e0e8190e (patch) | |
| tree | bd1e677298045d749a3e2c65b8cb2b28b6b914cb /channels/chan_dahdi.c | |
| parent | f4fd1b2fb0267991ecc1e2183d5a5833d0a6c4a3 (diff) | |
Prevent invalid access of free'd memory if DAHDI channel during an MWI event
In the MWI processing loop, when a valid event occurs the temporary caller ID
information is deallocated. If a new DAHDI channel is successfully created,
the event is passed up to the analog_ss_thread without error and the loop
exits. If, however, the DAHDI channel is not created, then the caller ID
struct has been free'd, and the gains reset to their previous level. This
will almost certainly cause an invalid access to the free'd memory, either
in subsequent calls to callerid_free or calls to callerid_feed.
This patch makes it so that we only free the caller ID structure if a
DAHDI channel is successfully created, and we bump the gains back up
if we fail to make a DAHDI channel.
........
Merged revisions 361705 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 361706 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@361707 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'channels/chan_dahdi.c')
| -rw-r--r-- | channels/chan_dahdi.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/channels/chan_dahdi.c b/channels/chan_dahdi.c index 84a702563..10ce9b50b 100644 --- a/channels/chan_dahdi.c +++ b/channels/chan_dahdi.c @@ -11166,13 +11166,14 @@ static void *mwi_thread(void *data) break; /* What to do on channel alarm ???? -- fall thru intentionally?? */ default: ast_log(LOG_NOTICE, "Got event %d (%s)... Passing along to analog_ss_thread\n", res, event2str(res)); - callerid_free(cs); restore_gains(mtd->pvt); mtd->pvt->ringt = mtd->pvt->ringt_base; if ((chan = dahdi_new(mtd->pvt, AST_STATE_RING, 0, SUB_REAL, 0, NULL))) { int result; + + callerid_free(cs); if (analog_lib_handles(mtd->pvt->sig, mtd->pvt->radio, mtd->pvt->oprmode)) { result = analog_ss_thread_start(mtd->pvt->sig_pvt, chan); } else { @@ -11189,6 +11190,8 @@ static void *mwi_thread(void *data) goto quit_no_clean; } else { + /* Bump the gains back */ + bump_gains(mtd->pvt); ast_log(LOG_WARNING, "Could not create channel to handle call\n"); } } |