From 95be40493a14ba6305dc2d10e63fb0d63d1b13a7 Mon Sep 17 00:00:00 2001
From: David Vossel <dvossel@digium.com>
Date: Fri, 18 Sep 2009 23:20:58 +0000
Subject: [PATCH] Merged revisions 219519 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4

........
  r219519 | dvossel | 2009-09-18 18:19:50 -0500 (Fri, 18 Sep 2009) | 9 lines

  iax2 frame double free

  The iax frame's retrans sched id was written over right
  before iax2_frame_free was called.  In iax2_frame_free that
  retrans id is used to delete the sched item.  By writing over
  the retrans field before the sched item could be deleted, it was
  possible for a retransmit to occur on a freed frame.
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@219520 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 channels/chan_iax2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index e88779be80..700e9b5c96 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -1685,6 +1685,7 @@ static void iax2_destroy_helper(struct chan_iax2_pvt *pvt)
 static void iax2_frame_free(struct iax_frame *fr)
 {
 	ast_sched_thread_del(sched, fr->retrans);
+	fr->retrans = -1;
 	iax_frame_free(fr);
 }
 
@@ -3352,7 +3353,6 @@ static void __attempt_transmit(const void *data)
 		/* Don't attempt delivery, just remove it from the queue */
 		AST_LIST_REMOVE(&frame_queue[callno], f, list);
 		ast_mutex_unlock(&iaxsl[callno]);
-		f->retrans = -1;
 		/* Free the IAX frame */
 		iax2_frame_free(f);
 	} else if (callno) {
-- 
GitLab