diff options
| author | Matthew Jordan <mjordan@digium.com> | 2013-06-22 13:58:07 +0000 |
|---|---|---|
| committer | Matthew Jordan <mjordan@digium.com> | 2013-06-22 13:58:07 +0000 |
| commit | ea03516cb5426915d183526335d3a7d662ea29dc (patch) | |
| tree | 51e20f0c6dc80a364c69023edf1db330dfc5ba24 /channels/sip/include/sip.h | |
| parent | 94ec267888e907862cab6c5e24163ca3a9a72070 (diff) | |
Fix a deadlock and possible crash in res_fax
This patch fixes two bugs.
(1) It unlocks the channel in the framehook handlers before attempting to grab
the peer from the bridge. The locking order for the bridging framework is
bridge first, then channel - having the channel locked while attempting to
obtain the bridge lock causes a locking inversion and a deadlock. This
patch bumps the channel ref count prior to releasing the lock in the
framehook to avoid lifetime issues.
Note that this does expose a subtle problem in framehooks; that is,
something could modify the framehook list while we are executing, causing
issues in the framehook list traversal that the callback executes in.
Fixing this is a much larger problem that is beyond the scope of this
patch - (a) we already unlock the channel in this particular framehook
and we haven't run into a problem yet (as modifying the framehook list
when a channel is about to perform a fax gateway would be a very odd
operation) and (b) migrating to an ao2 container of framehooks would be
more invasive at this point. See the referenced ASTERISK issue for more
information.
(2) Directly packing channel variables into a JSON object turned out to be
unsafe. A condition existed where the strings in the JSON blob were no
longer safe to be accessed if the channel object itself was disposed of.
(issue ASTERISK-21951)
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@392564 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'channels/sip/include/sip.h')
0 files changed, 0 insertions, 0 deletions