kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-10 03:48:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Protect ast_filestream object when on a channel

Browse Source 
The ast_filestream object gets tacked on to a channel via
chan->timingdata.  It's a reference counted object, but the reference
count isn't used when putting it on a channel.  It's theoretically
possible for another thread to interfere with the channel while it's
unlocked and cause the filestream to get destroyed.

Use the astobj2 reference count to make sure that as long as this code
path is holding on the ast_filestream and passing it into the file.c
playback code, that it knows it's valid.

Bug reported by Leif Madsen.

Review: https://reviewboard.asterisk.org/r/3135/



git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@406566 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Russell Bryant
2014-01-27 01:07:07 +00:00
parent 45b6991b92
commit 270775ce52
3 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
main/channel.c
View File

@@ -3544,6 +3544,11 @@ int ast_waitfordigit(struct ast_channel *c, int ms)
}
int ast_settimeout(struct ast_channel *c, unsigned int rate, int (*func)(const void *data), void *data)
{
return ast_settimeout_full(c, rate, func, data, 0);
}
int ast_settimeout_full(struct ast_channel *c, unsigned int rate, int (*func)(const void *data), void *data, unsigned int is_ao2_obj)
{
int res;
unsigned int real_rate = rate, max_rate;
@@ -3568,9 +3573,20 @@ int ast_settimeout(struct ast_channel *c, unsigned int rate, int (*func)(const v
res = ast_timer_set_rate(c->timer, real_rate);
if (c->timingdata && ast_test_flag(c, AST_FLAG_TIMINGDATA_IS_AO2_OBJ)) {
ao2_ref(c->timingdata, -1);
}
c->timingfunc = func;
c->timingdata = data;
if (data && is_ao2_obj) {
ao2_ref(data, 1);
ast_set_flag(c, AST_FLAG_TIMINGDATA_IS_AO2_OBJ);
} else {
ast_clear_flag(c, AST_FLAG_TIMINGDATA_IS_AO2_OBJ);
}
if (func == NULL && rate == 0 && c->fdno == AST_TIMING_FD) {
/* Clearing the timing func and setting the rate to 0
* means that we don't want to be reading from the timingfd
@@ -3877,9 +3893,17 @@ static struct ast_frame *__ast_read(struct ast_channel *chan, int dropaudio)
/* save a copy of func/data before unlocking the channel */
int (*func)(const void *) = chan->timingfunc;
void *data = chan->timingdata;
int got_ref = 0;
if (data && ast_test_flag(chan, AST_FLAG_TIMINGDATA_IS_AO2_OBJ)) {
ao2_ref(data, 1);
got_ref = 1;
}
chan->fdno = -1;
ast_channel_unlock(chan);
func(data);
if (got_ref) {
ao2_ref(data, -1);
}
} else {
ast_timer_set_rate(chan->timer, 0);
chan->fdno = -1;