From de9374fcc9f27b42880bed0c3e257e255de04156 Mon Sep 17 00:00:00 2001
From: Shaun Ruffell <sruffell@digium.com>
Date: Fri, 22 Jul 2011 18:03:48 +0000
Subject: wcb4xxp: Prevent null pointer dereference on spanconfig

In the rare case where spanconfig is called while there is pending data
on the hdlc channel, the hdlc_getbuf interrupt could try to read from
the hdlc buffer before the channel was fully setup. This could
potentially result in a null pointer dereference. This condition has
existed since the creation of the wcb4xxp driver.

Signed-off-by: Russ Meyerriecks <rmeyerriecks@digium.com>
Signed-off-by: Shaun Ruffell <sruffell@digium.com>

Origin: http://svnview.digium.com/svn/dahdi?view=rev&rev=10079

git-svn-id: http://svn.asterisk.org/svn/dahdi/linux/branches/2.4@10080 a0bf4364-ded3-4de4-8d8a-66a801d63aff
---
 drivers/dahdi/wcb4xxp/base.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/dahdi/wcb4xxp/base.c b/drivers/dahdi/wcb4xxp/base.c
index 2a63f73..95d0060 100644
--- a/drivers/dahdi/wcb4xxp/base.c
+++ b/drivers/dahdi/wcb4xxp/base.c
@@ -2303,6 +2303,9 @@ static int b4xxp_chanconfig(struct dahdi_chan *chan, int sigtype)
 
 		if (alreadyrunning && bspan->sigchan) {
 			hdlc_stop(b4, fifo);
+			atomic_set(&bspan->hdlc_pending, 0);
+			bspan->sigactive = 0;
+			smp_mb();
 			bspan->sigchan = NULL;
 		}
 
-- 
cgit v1.2.3