From 854a6de819b8c14b7493fde28460eb4f9fb305e3 Mon Sep 17 00:00:00 2001
From: George Joseph <gjoseph@digium.com>
Date: Fri, 16 Jun 2017 08:31:04 -0600
Subject: [PATCH] res_stasis:  Plug reference leak on stolen channels

When a stasis channel is stolen by another app, the control
structure is unreffed but never unlinked from the app_controls
container.  This causes the channel reference to leak.

Added OBJ_UNLINK to the callback in channel_stolen_cb.

Also added some additional channel lifecycle debug messages to
channel.c.

ASTERISK-27059 #close
Repoorted-by: George Joseph

Change-Id: Ib820936cd49453f20156971785e7f4f182c56e14
---
 main/channel.c   |  9 ++++++++-
 res/res_stasis.c | 20 ++++++++++++++++----
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/main/channel.c b/main/channel.c
index 1ca485e7ad..8b4dc75bec 100644
--- a/main/channel.c
+++ b/main/channel.c
@@ -998,6 +998,9 @@ __ast_channel_alloc_ap(int needqueue, int state, const char *cid_num, const char
 	 * the world know of its existance
 	 */
 	ast_channel_stage_snapshot_done(tmp);
+
+	ast_debug(1, "Channel %p '%s' allocated\n", tmp, ast_channel_name(tmp));
+
 	return tmp;
 }
 
@@ -2217,6 +2220,8 @@ static void ast_channel_destructor(void *obj)
 	char device_name[AST_CHANNEL_NAME];
 	ast_callid callid;
 
+	ast_debug(1, "Channel %p '%s' destroying\n", chan, ast_channel_name(chan));
+
 	/* Stop monitoring */
 	if (ast_channel_monitor(chan)) {
 		ast_channel_monitor(chan)->stop(chan, 0);
@@ -2579,6 +2584,9 @@ void ast_hangup(struct ast_channel *chan)
 		return;
 	}
 
+	ast_debug(1, "Channel %p '%s' hanging up.  Refs: %d\n", chan, ast_channel_name(chan),
+		ao2_ref(chan, 0));
+
 	ast_autoservice_stop(chan);
 
 	ast_channel_lock(chan);
@@ -2638,7 +2646,6 @@ void ast_hangup(struct ast_channel *chan)
 		ast_assert(ast_test_flag(ast_channel_flags(chan), AST_FLAG_BLOCKING) == 0);
 	}
 
-	ast_debug(1, "Hanging up channel '%s'\n", ast_channel_name(chan));
 	if (ast_channel_tech(chan)->hangup) {
 		ast_channel_tech(chan)->hangup(chan);
 	}
diff --git a/res/res_stasis.c b/res/res_stasis.c
index 9ea0d63fea..899c8f720a 100644
--- a/res/res_stasis.c
+++ b/res/res_stasis.c
@@ -1069,8 +1069,18 @@ static void channel_stolen_cb(void *data, struct ast_channel *old_chan, struct a
 {
 	struct stasis_app_control *control;
 
-	/* find control */
-	control = ao2_callback(app_controls, 0, masq_match_cb, old_chan);
+	/*
+	 * At this point, old_chan is the channel pointer that is in Stasis() and
+	 * has the unknown channel's name in it while new_chan is the channel pointer
+	 * that is not in Stasis(), but has the guts of the channel that Stasis() knows
+	 * about.
+	 *
+	 * Find and unlink control since the channel has a new name/uniqueid
+	 * and its hash has changed.  Since the channel is leaving stasis don't
+	 * bother putting it back into the container.  Nobody is going to
+	 * remove it from the container later.
+	 */
+	control = ao2_callback(app_controls, OBJ_UNLINK, masq_match_cb, old_chan);
 	if (!control) {
 		ast_log(LOG_ERROR, "Could not find control for masqueraded channel\n");
 		return;
@@ -1111,8 +1121,10 @@ static void channel_replaced_cb(void *data, struct ast_channel *old_chan, struct
 		return;
 	}
 
-	/* find, unlink, and relink control since the channel has a new name and
-	 * its hash has likely changed */
+	/*
+	 * Find, unlink, and relink control since the channel has a new
+	 * name/uniqueid and its hash has changed.
+	 */
 	control = ao2_callback(app_controls, OBJ_UNLINK, masq_match_cb, new_chan);
 	if (!control) {
 		ast_log(LOG_ERROR, "Could not find control for masquerading channel\n");
-- 
GitLab