From f3a62ab27e60e036fa4e1b7883bad6bfc3965db2 Mon Sep 17 00:00:00 2001
From: Tilghman Lesher <tilghman@meg.abyt.es>
Date: Tue, 3 Jun 2008 16:19:35 +0000
Subject: [PATCH] Merged revisions 120001 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4

........
r120001 | tilghman | 2008-06-03 11:10:53 -0500 (Tue, 03 Jun 2008) | 9 lines

Save the callno when we're poking, because our peer structure could change
during destruction (and thus we unlock the wrong callno, causing a
cascade failure).
(closes issue #12717)
 Reported by: gewfie
 Patches:
       20080525__bug12717.diff.txt uploaded by Corydon76 (license 14)
 Tested by: gewfie

........


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@120012 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 channels/chan_iax2.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index dd465365be..bdff928697 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -9874,6 +9874,7 @@ static int iax2_poke_peer_cb(void *obj, void *arg, int flags)
 
 static int iax2_poke_peer(struct iax2_peer *peer, int heldcall)
 {
+	int callno;
 	if (!peer->maxms || (!peer->addr.sin_addr.s_addr && !peer->dnsmgr)) {
 		/* IF we have no IP without dnsmgr, or this isn't to be monitored, return
 		  immediately after clearing things out */
@@ -9883,11 +9884,13 @@ static int iax2_poke_peer(struct iax2_peer *peer, int heldcall)
 		peer->callno = 0;
 		return 0;
 	}
-	if (peer->callno > 0) {
+
+	/* The peer could change the callno inside iax2_destroy, since we do deadlock avoidance */
+	if ((callno = peer->callno) > 0) {
 		ast_log(LOG_NOTICE, "Still have a callno...\n");
-		ast_mutex_lock(&iaxsl[peer->callno]);
-		iax2_destroy(peer->callno);
-		ast_mutex_unlock(&iaxsl[peer->callno]);
+		ast_mutex_lock(&iaxsl[callno]);
+		iax2_destroy(callno);
+		ast_mutex_unlock(&iaxsl[callno]);
 	}
 	if (heldcall)
 		ast_mutex_unlock(&iaxsl[heldcall]);
-- 
GitLab