chan_iax2: Fix crash caused by unprotected access to iaxs[peer->callno]

This patch fixes an access to the peer callnumber that is unprotected by a
corresponding mutex. The peer->callno value can be changed by multiple threads,
and all data inside the iaxs array must be procted by a corresponding lock
of iaxsl.

The patch moves the unprotected access to a location where the mutex is
safely obtained.

Review: https://reviewboard.asterisk.org/r/4599/

ASTERISK-21211 #close
Reported by: Jaco Kroon
patches:
  asterisk-11.2.1-iax2_poke-segfault.diff submitted by Jaco Kroon (License 5671)
........

Merged revisions 434291 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/13@434292 65c4cc65-6c06-0410-ace0-fbb531ad65f3

1 files changed, 5 insertions, 5 deletions

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index eeec1e1f1..b17c6f5fc 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -12341,15 +12341,11 @@ static int iax2_poke_peer(struct iax2_peer *peer, int heldcall)
 	callno = peer->callno = find_callno(0, 0, &peer->addr, NEW_FORCE, peer->sockfd, 0);
 	if (heldcall)
 		ast_mutex_lock(&iaxsl[heldcall]);
-	if (peer->callno < 1) {
+	if (callno < 1) {
 		ast_log(LOG_WARNING, "Unable to allocate call for poking peer '%s'\n", peer->name);
 		return -1;
 	}
 
-	/* Speed up retransmission times for this qualify call */
-	iaxs[peer->callno]->pingtime = peer->maxms / 4 + 1;
-	iaxs[peer->callno]->peerpoke = peer;
-
 	if (peer->pokeexpire > -1) {
 		if (!AST_SCHED_DEL(sched, peer->pokeexpire)) {
 			peer->pokeexpire = -1;
@@ -12370,6 +12366,10 @@ static int iax2_poke_peer(struct iax2_peer *peer, int heldcall)
 	/* And send the poke */
 	ast_mutex_lock(&iaxsl[callno]);
 	if (iaxs[callno]) {
+		/* Speed up retransmission times for this qualify call */
+		iaxs[callno]->pingtime = peer->maxms / 4 + 1;
+		iaxs[callno]->peerpoke = peer;
+
 		struct iax_ie_data ied = {
 			.buf = { 0 },
 			.pos = 0,