From b86771d1bf5c1db3561048d5bd5e679a6fb340fc Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Tue, 23 Aug 2016 10:42:08 -0500
Subject: [PATCH] ast_framehook_detach() must be called with the channel
locked.
The framehook container could become corrupted if the channel lock is not
held before calling.
Change-Id: If0a1c7ba0484ed3a191106a7516526b905952584
---
res/res_fax.c | 4 ++++
res/res_pjsip_refer.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/res/res_fax.c b/res/res_fax.c
index c301aff312..b6fefe2bee 100644
--- a/res/res_fax.c
+++ b/res/res_fax.c
@@ -4509,7 +4509,9 @@ static int acf_faxopt_write(struct ast_channel *chan, const char *cmd, char *dat
ast_log(LOG_WARNING, "Attempt to attach a T.38 gateway on channel (%s) with gateway already running.\n", ast_channel_name(chan));
}
} else if (ast_false(val)) {
+ ast_channel_lock(chan);
ast_framehook_detach(chan, details->gateway_id);
+ ast_channel_unlock(chan);
details->gateway_id = -1;
} else {
ast_log(LOG_WARNING, "Unsupported value '%s' passed to FAXOPT(%s).\n", value, data);
@@ -4561,7 +4563,9 @@ static int acf_faxopt_write(struct ast_channel *chan, const char *cmd, char *dat
ast_log(LOG_WARNING, "Attempt to attach a FAX detect on channel (%s) with FAX detect already running.\n", ast_channel_name(chan));
}
} else if (ast_false(val)) {
+ ast_channel_lock(chan);
ast_framehook_detach(chan, details->faxdetect_id);
+ ast_channel_unlock(chan);
details->faxdetect_id = -1;
} else {
ast_log(LOG_WARNING, "Unsupported value '%s' passed to FAXOPT(%s).\n", value, data);
diff --git a/res/res_pjsip_refer.c b/res/res_pjsip_refer.c
index 78d6e23b5c..19367bf326 100644
--- a/res/res_pjsip_refer.c
+++ b/res/res_pjsip_refer.c
@@ -641,7 +641,9 @@ static void refer_blind_callback(struct ast_channel *chan, struct transfer_chann
refer_progress_notify(notification);
}
+ ast_channel_lock(chan);
ast_framehook_detach(chan, refer->progress->framehook);
+ ast_channel_unlock(chan);
ao2_cleanup(refer->progress);
}
--
GitLab