Skip to content
Snippets Groups Projects
Commit cc7eb72f authored by Alexei Gradinari's avatar Alexei Gradinari Committed by George Joseph
Browse files

sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data 

The data can be freed if the old object '_data' is the same object as
new 'data'. Because at first the object is unreferenced which can lead
to destroying it.

This could happened in res_pjsip_pubsub when the publication is updated
which could lead to segfault in function publish_expire.

Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da
parent b52acb87
No related branches found
No related tags found
3 merge requests!138Merge branch asterisk-20.3.0 into devel properly,!123Merge asterisk '20.3.0' into devel,!118Draft: manager: AOC-S support for AOCMessage
Hide whitespace changes
Inline Side-by-side
include/asterisk/sched.h
+ 3
2
View file @ cc7eb72f
......@@ -136,11 +136,12 @@ extern "C" {
while (id > -1 && (_res = ast_sched_del(sched, id) && _count++ < 10)) { \
usleep(1); \
} \
if (!_res && _data) \
if (!_res && _data && _data != data) \
unrefcall; /* should ref _data! */ \
if (_count == 10) \
ast_log(LOG_WARNING, "Unable to cancel schedule ID %d. This is probably a bug (%s: %s, line %d).\n", id, __FILE__, __PRETTY_FUNCTION__, __LINE__); \
refcall; \
if (_data != data) \
refcall; \
id = ast_sched_add_variable(sched, when, callback, data, variable); \
if (id == -1) \
addfailcall; \
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment