From ea941032ffe9b3acbc1d41c24990590771fe3bb2 Mon Sep 17 00:00:00 2001
From: Mike Bradeen <mbradeen@sangoma.com>
Date: Tue, 16 Nov 2021 15:34:28 -0700
Subject: [PATCH] astobj2.c: Fix core when ref_log enabled

In the AO2_ALLOC_OPT_LOCK_NOLOCK case the referenced obj
structure is freed, but is then referenced later if ref_log is
enabled. The change is to store the obj->priv_data.options value
locally and reference it instead of the value from the freed obj

ASTERISK-29730

Change-Id: I60cc5dc1f5a4330e7ad56976fc38a42de0ab6072
---
 main/astobj2.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/main/astobj2.c b/main/astobj2.c
index ab8fb8bdf8..b75c4d3db9 100644
--- a/main/astobj2.c
+++ b/main/astobj2.c
@@ -504,6 +504,7 @@ int __ao2_ref(void *user_data, int delta,
 	struct astobj2_lockobj *obj_lockobj;
 	int32_t current_value;
 	int32_t ret;
+	uint32_t privdataoptions;
 	struct ao2_weakproxy *weakproxy = NULL;
 	const char *lock_state;
 
@@ -621,6 +622,8 @@ int __ao2_ref(void *user_data, int delta,
 
 	/* In case someone uses an object after it's been freed */
 	obj->priv_data.magic = 0;
+	/* Save the options locally so the ref_log print at the end doesn't access freed data */
+	privdataoptions = obj->priv_data.options;
 
 	switch (obj->priv_data.options & AO2_ALLOC_OPT_LOCK_MASK) {
 	case AO2_ALLOC_OPT_LOCK_MUTEX:
@@ -655,7 +658,7 @@ int __ao2_ref(void *user_data, int delta,
 		break;
 	}
 
-	if (ref_log && !(obj->priv_data.options & AO2_ALLOC_OPT_NO_REF_DEBUG)) {
+	if (ref_log && !(privdataoptions & AO2_ALLOC_OPT_NO_REF_DEBUG)) {
 		fprintf(ref_log, "%p,%d,%d,%s,%d,%s,**destructor**lock-state:%s**,%s\n",
 			user_data, delta, ast_get_tid(), file, line, func, lock_state, tag ?: "");
 		fflush(ref_log);
-- 
GitLab