chan_iax2: Fix crash caused by unprotected access to iaxs[peer->callno]

This patch fixes an access to the peer callnumber that is unprotected by a corresponding mutex. The peer->callno value can be changed by multiple threads, and all data inside the iaxs array must be procted by a corresponding lock of iaxsl. The patch moves the unprotected access to a location where the mutex is safely obtained. Review: https://reviewboard.asterisk.org/r/4599/ ASTERISK-21211 #close Reported by: Jaco Kroon patches: asterisk-11.2.1-iax2_poke-segfault.diff submitted by Jaco Kroon (License 5671) ........ Merged revisions 434291 from http://svn.asterisk.org/svn/asterisk/branches/11 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/13@434292 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-10-12 15:45:18 +00:00 · 2015-04-08 12:00:01 +00:00
parent be13c72142
commit 05397ad01e
1 changed files with 5 additions and 5 deletions
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -12341,15 +12341,11 @@ static int iax2_poke_peer(struct iax2_peer *peer, int heldcall)
 	callno = peer->callno = find_callno(0, 0, &peer->addr, NEW_FORCE, peer->sockfd, 0);
 	if (heldcall)
 		ast_mutex_lock(&iaxsl[heldcall]);
-	if (peer->callno < 1) {
+	if (callno < 1) {
 		ast_log(LOG_WARNING, "Unable to allocate call for poking peer '%s'\n", peer->name);
 		return -1;
 	}

-	/* Speed up retransmission times for this qualify call */
-	iaxs[peer->callno]->pingtime = peer->maxms / 4 + 1;
-	iaxs[peer->callno]->peerpoke = peer;
-
 	if (peer->pokeexpire > -1) {
 		if (!AST_SCHED_DEL(sched, peer->pokeexpire)) {
 			peer->pokeexpire = -1;
@@ -12370,6 +12366,10 @@ static int iax2_poke_peer(struct iax2_peer *peer, int heldcall)
 	/* And send the poke */
 	ast_mutex_lock(&iaxsl[callno]);
 	if (iaxs[callno]) {
+		/* Speed up retransmission times for this qualify call */
+		iaxs[callno]->pingtime = peer->maxms / 4 + 1;
+		iaxs[callno]->peerpoke = peer;
+
 		struct iax_ie_data ied = {
 			.buf = { 0 },
 			.pos = 0,