From 97f813f3a47c7a808fea1c0b978eda14e0e8190e Mon Sep 17 00:00:00 2001
From: Matthew Jordan <mjordan@digium.com>
Date: Mon, 9 Apr 2012 20:55:53 +0000
Subject: [PATCH] Prevent invalid access of free'd memory if DAHDI channel
 during an MWI event

In the MWI processing loop, when a valid event occurs the temporary caller ID
information is deallocated.  If a new DAHDI channel is successfully created,
the event is passed up to the analog_ss_thread without error and the loop
exits.  If, however, the DAHDI channel is not created, then the caller ID
struct has been free'd, and the gains reset to their previous level.  This
will almost certainly cause an invalid access to the free'd memory, either
in subsequent calls to callerid_free or calls to callerid_feed.

This patch makes it so that we only free the caller ID structure if a
DAHDI channel is successfully created, and we bump the gains back up
if we fail to make a DAHDI channel.
........

Merged revisions 361705 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 361706 from http://svn.asterisk.org/svn/asterisk/branches/10


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@361707 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 channels/chan_dahdi.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/channels/chan_dahdi.c b/channels/chan_dahdi.c
index 84a7025634..10ce9b50b8 100644
--- a/channels/chan_dahdi.c
+++ b/channels/chan_dahdi.c
@@ -11166,13 +11166,14 @@ static void *mwi_thread(void *data)
 				break; /* What to do on channel alarm ???? -- fall thru intentionally?? */
 			default:
 				ast_log(LOG_NOTICE, "Got event %d (%s)...  Passing along to analog_ss_thread\n", res, event2str(res));
-				callerid_free(cs);
 
 				restore_gains(mtd->pvt);
 				mtd->pvt->ringt = mtd->pvt->ringt_base;
 
 				if ((chan = dahdi_new(mtd->pvt, AST_STATE_RING, 0, SUB_REAL, 0, NULL))) {
 					int result;
+
+					callerid_free(cs);
 					if (analog_lib_handles(mtd->pvt->sig, mtd->pvt->radio, mtd->pvt->oprmode)) {
 						result = analog_ss_thread_start(mtd->pvt->sig_pvt, chan);
 					} else {
@@ -11189,6 +11190,8 @@ static void *mwi_thread(void *data)
 					goto quit_no_clean;
 
 				} else {
+					/* Bump the gains back */
+					bump_gains(mtd->pvt);
 					ast_log(LOG_WARNING, "Could not create channel to handle call\n");
 				}
 			}
-- 
GitLab