From d7dec4f14fc018d18ed480358f9a265b81b230b9 Mon Sep 17 00:00:00 2001 From: David Vossel Date: Tue, 29 Nov 2011 00:03:36 +0000 Subject: Merged revisions 346349 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/10 ........ r346349 | dvossel | 2011-11-28 18:00:11 -0600 (Mon, 28 Nov 2011) | 10 lines Fixes memory leak in message API. The ast_msg_get_var function did not properly decrement the ref count of the var it retrieves. The way this is implemented is a bit tricky, as we must decrement the var and then return the var's value. As long as the documentation for the function is followed, this will not result in a dangling pointer as the ast_msg structure owns its own reference to the var while it exists in the var container. ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@346350 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- include/asterisk/message.h | 3 ++- main/message.c | 10 +++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/include/asterisk/message.h b/include/asterisk/message.h index e52c4c406..d989563e5 100644 --- a/include/asterisk/message.h +++ b/include/asterisk/message.h @@ -173,7 +173,8 @@ int ast_msg_set_var(struct ast_msg *msg, const char *name, const char *value); /*! * \brief Get the specified variable on the message * \note The return value is valid only as long as the ast_message is valid. Hold a reference - * to the message if you plan on storing the return value. + * to the message if you plan on storing the return value. Do re-set the same + * message var name while holding a pointer to the result of this function. * * \return The value associated with variable "name". NULL if variable not found. */ diff --git a/main/message.c b/main/message.c index f2c5f4ddb..edc54c8ea 100644 --- a/main/message.c +++ b/main/message.c @@ -522,12 +522,20 @@ int ast_msg_set_var(struct ast_msg *msg, const char *name, const char *value) const char *ast_msg_get_var(struct ast_msg *msg, const char *name) { struct msg_data *data; + const char *val = NULL; if (!(data = msg_data_find(msg->vars, name))) { return NULL; } - return data->value; + /* Yep, this definitely looks like val would be a dangling pointer + * after the ref count is decremented. As long as the message structure + * is used in a thread safe manner, this will not be the case though. + * The ast_msg holds a reference to this object in the msg->vars container. */ + val = data->value; + ao2_ref(data, -1); + + return val; } struct ast_msg_var_iterator { -- cgit v1.2.3