From 09bbfa76ab589a440d954b29b2facc32e0d22248 Mon Sep 17 00:00:00 2001
From: Matthew Jordan <mjordan@digium.com>
Date: Sun, 25 May 2014 02:37:03 +0000
Subject: [PATCH] core_unreal: Prevent double free of core_unreal pvt

When a channel is destroyed (such as via ast_channel_release in off nominal
paths in core_unreal), it will attempt to free (via ast_free) the channel tech
pvt. This is problematic for a few reasons:
1. The channel tech pvt is an ao2 object in core_unreal. Free'ing the pvt
   directly is no good.
2. The channel tech pvt's reference count is dropped just prior to calling
   ast_channel_release, resulting in the pvt's destruction. Hence, the
   channel destructor is free'ing an invalid pointer.

This patch keeps the dropping of the reference count, but sets the pvt to
NULL on the channel prior to releasing it. This models what would occur if the
channel was hung up directly.
........

Merged revisions 414542 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@414543 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 main/core_unreal.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/main/core_unreal.c b/main/core_unreal.c
index ae7f9d2abd..481ed2d0cc 100644
--- a/main/core_unreal.c
+++ b/main/core_unreal.c
@@ -955,6 +955,7 @@ struct ast_channel *ast_unreal_new_channels(struct ast_unreal_pvt *p,
 	if (ast_channel_cc_params_init(owner, requestor
 		? ast_channel_get_cc_config_params((struct ast_channel *) requestor) : NULL)) {
 		ao2_ref(p, -1);
+		ast_channel_tech_pvt_set(owner, NULL);
 		ast_channel_unlock(owner);
 		ast_channel_release(owner);
 		return NULL;
@@ -968,6 +969,7 @@ struct ast_channel *ast_unreal_new_channels(struct ast_unreal_pvt *p,
 			"%s/%s-%08x;2", tech->type, p->name, (unsigned)generated_seqno))) {
 		ast_log(LOG_WARNING, "Unable to allocate chan channel structure\n");
 		ao2_ref(p, -1);
+		ast_channel_tech_pvt_set(owner, NULL);
 		ast_channel_release(owner);
 		return NULL;
 	}
-- 
GitLab