From 88e9d05ef7de24f0169032c1ae4cacbe54be0a55 Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Mon, 22 Aug 2016 15:01:37 -0500 Subject: ast_framehook_attach() must be called with the channel locked. The framehook container could become corrupted if the channel lock is not held before calling. Change-Id: I1a6b957a1f7b899eb29a186915f8cccab886a438 --- res/res_pjsip_refer.c | 5 ++++- res/res_pjsip_t38.c | 14 ++++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) (limited to 'res') diff --git a/res/res_pjsip_refer.c b/res/res_pjsip_refer.c index e5bb90e5c..23c377d62 100644 --- a/res/res_pjsip_refer.c +++ b/res/res_pjsip_refer.c @@ -607,7 +607,10 @@ static void refer_blind_callback(struct ast_channel *chan, struct transfer_chann ao2_ref(refer->progress, +1); /* If we can't attach a frame hook for whatever reason send a notification of success immediately */ - if ((refer->progress->framehook = ast_framehook_attach(chan, &hook)) < 0) { + ast_channel_lock(chan); + refer->progress->framehook = ast_framehook_attach(chan, &hook); + ast_channel_unlock(chan); + if (refer->progress->framehook < 0) { struct refer_progress_notification *notification = refer_progress_notification_alloc(refer->progress, 200, PJSIP_EVSUB_STATE_TERMINATED); diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c index 992902af2..01bfefdd9 100644 --- a/res/res_pjsip_t38.c +++ b/res/res_pjsip_t38.c @@ -501,25 +501,27 @@ static void t38_attach_framehook(struct ast_sip_session *session) return; } - /* Skip attaching the framehook if the T.38 datastore already exists for the channel */ ast_channel_lock(session->channel); - if ((datastore = ast_channel_datastore_find(session->channel, &t38_framehook_datastore, NULL))) { + + /* Skip attaching the framehook if the T.38 datastore already exists for the channel */ + datastore = ast_channel_datastore_find(session->channel, &t38_framehook_datastore, + NULL); + if (datastore) { ast_channel_unlock(session->channel); return; } - ast_channel_unlock(session->channel); framehook_id = ast_framehook_attach(session->channel, &hook); if (framehook_id < 0) { - ast_log(LOG_WARNING, "Could not attach T.38 Frame hook to channel, T.38 will be unavailable on '%s'\n", + ast_log(LOG_WARNING, "Could not attach T.38 Frame hook, T.38 will be unavailable on '%s'\n", ast_channel_name(session->channel)); + ast_channel_unlock(session->channel); return; } - ast_channel_lock(session->channel); datastore = ast_datastore_alloc(&t38_framehook_datastore, NULL); if (!datastore) { - ast_log(LOG_ERROR, "Could not attach T.38 Frame hook to channel, T.38 will be unavailable on '%s'\n", + ast_log(LOG_ERROR, "Could not alloc T.38 Frame hook datastore, T.38 will be unavailable on '%s'\n", ast_channel_name(session->channel)); ast_framehook_detach(session->channel, framehook_id); ast_channel_unlock(session->channel); -- cgit v1.2.3