From 4f5dd10749f26ed589e16da9cd97c047605922fe Mon Sep 17 00:00:00 2001
From: David Vossel <dvossel@digium.com>
Date: Mon, 30 Nov 2009 18:55:07 +0000
Subject: [PATCH] app_queue crashes randomly, often during call-transfers

This patch adds a ref to the queue_ent object's parent call_queue
in queue_exec() so the call_queue won't be destroyed
while the the queue_ent still holds a pointer to it.

(closes issue 0015686)
Tested by: dvossel, aragon




git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@231556 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 apps/app_queue.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/apps/app_queue.c b/apps/app_queue.c
index 1ecca069fa..5b0187e126 100644
--- a/apps/app_queue.c
+++ b/apps/app_queue.c
@@ -1101,6 +1101,11 @@ static inline void insert_entry(struct call_queue *q, struct queue_ent *prev, st
 		q->head = new;
 	}
 	new->next = cur;
+
+	/* every queue_ent must have a reference to it's parent call_queue, this
+	 * reference does not go away until the end of the queue_ent's life, meaning
+	 * that even when the queue_ent leaves the call_queue this ref must remain. */
+	queue_ref(q);
 	new->parent = q;
 	new->pos = ++(*pos);
 	new->opos = *pos;
@@ -5441,7 +5446,7 @@ static int queue_exec(struct ast_channel *chan, const char *data)
 		AST_APP_ARG(position);
 	);
 	/* Our queue entry */
-	struct queue_ent qe;
+	struct queue_ent qe = { 0 };
 	
 	if (ast_strlen_zero(data)) {
 		ast_log(LOG_WARNING, "Queue requires an argument: queuename[,options[,URL[,announceoverride[,timeout[,agi[,macro[,gosub[,rule[,position]]]]]]]]]\n");
@@ -5452,7 +5457,6 @@ static int queue_exec(struct ast_channel *chan, const char *data)
 	AST_STANDARD_APP_ARGS(args, parse);
 
 	/* Setup our queue entry */
-	memset(&qe, 0, sizeof(qe));
 	qe.start = time(NULL);
 
 	/* set the expire time based on the supplied timeout; */
@@ -5693,6 +5697,13 @@ stop:
 	if (reason != QUEUE_UNKNOWN)
 		set_queue_result(chan, reason);
 
+	if (qe.parent) {
+		/* every queue_ent is given a reference to it's parent call_queue when it joins the queue.
+		 * This ref must be taken away right before the queue_ent is destroyed.  In this case
+		 * the queue_ent is about to be returned on the stack */
+		qe.parent = queue_unref(qe.parent);
+	}
+
 	return res;
 }
 
-- 
GitLab