From 21f472355e64d2ea1e095f51d65d9b1adf11c6a9 Mon Sep 17 00:00:00 2001
From: Corey Farrell <git@cfware.com>
Date: Fri, 21 Sep 2018 11:19:52 -0400
Subject: [PATCH] res_rtp_asterisk: Fix crash on ast_rtp_new failure.

ast_rtp_new free'd rtp upon failure, but rtp_engine.c would also call
the destroy callback.  Remove call to ast_free from ast_rtp_new, leave
it to rtp_engine.c to initiate the full cleanup.  Add error detection
for the ssrc_mapping vector initialization.  In rtp_allocate_transport
set rtp->s = -1 in the failure path where we close that FD to ensure we
don't try closing it twice.

ASTERISK-27854 #close

Change-Id: Ie02aecbb46228ca804e24b19cec2bb6f7b94e451
---
 res/res_rtp_asterisk.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index c1aa2757ec..a6be2f5649 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -3504,6 +3504,7 @@ static int rtp_allocate_transport(struct ast_rtp_instance *instance, struct ast_
 		if (x == startplace || (errno != EADDRINUSE && errno != EACCES)) {
 			ast_log(LOG_ERROR, "Oh dear... we couldn't allocate a port for RTP instance '%p'\n", instance);
 			close(rtp->s);
+			rtp->s = -1;
 			return -1;
 		}
 	}
@@ -3650,7 +3651,10 @@ static int ast_rtp_new(struct ast_rtp_instance *instance,
 	ast_rtp_instance_set_data(instance, rtp);
 
 	if (rtp_allocate_transport(instance, rtp)) {
-		ast_free(rtp);
+		return -1;
+	}
+
+	if (AST_VECTOR_INIT(&rtp->ssrc_mapping, 1)) {
 		return -1;
 	}
 
@@ -3658,7 +3662,6 @@ static int ast_rtp_new(struct ast_rtp_instance *instance,
 	rtp->lastrxformat = ao2_bump(ast_format_none);
 	rtp->lasttxformat = ao2_bump(ast_format_none);
 	rtp->stream_num = -1;
-	AST_VECTOR_INIT(&rtp->ssrc_mapping, 1);
 
 	return 0;
 }
-- 
GitLab