From a2db3c24b38eb260bda331f8ec5ae512661b5b5f Mon Sep 17 00:00:00 2001
From: James Zhang <jzhang@sangoma.com>
Date: Tue, 27 Mar 2012 18:00:24 -0400
Subject: [PATCH] freetdm: fixing more potential null pointers in native bridge
 mode.

---
 .../ftmod_sangoma_ss7_main.c                  | 45 ++++++++++++-------
 .../ftmod_sangoma_ss7/ftmod_sangoma_ss7_out.c | 26 ++++++-----
 2 files changed, 42 insertions(+), 29 deletions(-)

diff --git a/libs/freetdm/src/ftmod/ftmod_sangoma_ss7/ftmod_sangoma_ss7_main.c b/libs/freetdm/src/ftmod/ftmod_sangoma_ss7/ftmod_sangoma_ss7_main.c
index fe129c0f73..3d30a534cd 100644
--- a/libs/freetdm/src/ftmod/ftmod_sangoma_ss7/ftmod_sangoma_ss7_main.c
+++ b/libs/freetdm/src/ftmod/ftmod_sangoma_ss7/ftmod_sangoma_ss7_main.c
@@ -426,24 +426,33 @@ static void *ftdm_sangoma_ss7_run(ftdm_thread_t * me, void *obj)
 				/* note that the channels being dequeued here may not belong to this span
 				   they may belong to just about any other span that one of our channels
 				   happens to be bridged to */
-				sngss7_chan_data_t *peer_info = peerchan->call_data;
-				sngss7_chan_data_t *chan_info = peer_info->peer_data;
-				ftdmchan = chan_info->ftdmchan;
+				sngss7_chan_data_t *peer_info;
+				sngss7_chan_data_t *chan_info;
 
-				/* 
-				   if there is any state changes at all, those will be done in the opposite channel
-				   to peerchan (where the original event was received), therefore we must lock ftdmchan, 
-				   but do not need to lock peerchan as we only read its event queue, which is already 
-				   locked when dequeueing */
-				ftdm_channel_lock(ftdmchan);
+				peer_info = peerchan->call_data;
+				if (peer_info) {
+					chan_info = peer_info->peer_data;
+					if (chan_info) {
+						ftdmchan = chan_info->ftdmchan;
+						if (ftdmchan) {
 
-				/* clean out all pending stack events in the peer channel */
-				while ((sngss7_event = ftdm_queue_dequeue(peer_info->event_queue))) {
-					ftdm_sangoma_ss7_process_peer_stack_event(ftdmchan, sngss7_event);
-					ftdm_safe_free(sngss7_event);
+							/* 
+							   if there is any state changes at all, those will be done in the opposite channel
+							   to peerchan (where the original event was received), therefore we must lock ftdmchan, 
+							   but do not need to lock peerchan as we only read its event queue, which is already 
+							   locked when dequeueing */
+							ftdm_channel_lock(ftdmchan);
+
+							/* clean out all pending stack events in the peer channel */
+							while ((sngss7_event = ftdm_queue_dequeue(peer_info->event_queue))) {
+								ftdm_sangoma_ss7_process_peer_stack_event(ftdmchan, sngss7_event);
+								ftdm_safe_free(sngss7_event);
+							}
+
+							ftdm_channel_unlock(ftdmchan);
+						}
+					}
 				}
-
-				ftdm_channel_unlock(ftdmchan);				
 			}
 
 			/* clean out all pending stack events */
@@ -1519,9 +1528,11 @@ ftdm_status_t ftdm_sangoma_ss7_process_state_change (ftdm_channel_t *ftdmchan)
 			 */
 			if (ftdm_test_flag(ftdmchan, FTDM_CHANNEL_OUTBOUND)) {
 				sngss7_chan_data_t *peer_info = sngss7_info->peer_data;
-				sngss7_info->peer_data = NULL;
 				if (peer_info) {
-					peer_info->peer_data = NULL;
+					sngss7_info->peer_data = NULL;
+					if (peer_info) {
+						peer_info->peer_data = NULL;
+					}
 				}
 			}
 
diff --git a/libs/freetdm/src/ftmod/ftmod_sangoma_ss7/ftmod_sangoma_ss7_out.c b/libs/freetdm/src/ftmod/ftmod_sangoma_ss7/ftmod_sangoma_ss7_out.c
index 5f0a0f0960..c44c7bd7b2 100644
--- a/libs/freetdm/src/ftmod/ftmod_sangoma_ss7/ftmod_sangoma_ss7_out.c
+++ b/libs/freetdm/src/ftmod/ftmod_sangoma_ss7/ftmod_sangoma_ss7_out.c
@@ -72,21 +72,23 @@ void ft_to_sngss7_iam (ftdm_channel_t * ftdmchan)
 						var, peer_span->signal_type);
 			} else {
 				peer_info = peer_chan->call_data;
-				SS7_INFO_CHAN(ftdmchan,"[CIC:%d]Starting native bridge with peer CIC %d\n", 
-						sngss7_info->circuit->cic, peer_info->circuit->cic);
+				if (peer_info) {
+					SS7_INFO_CHAN(ftdmchan,"[CIC:%d]Starting native bridge with peer CIC %d\n", 
+							sngss7_info->circuit->cic, peer_info->circuit->cic);
 
-				/* make each one of us aware of the native bridge */
-				peer_info->peer_data = sngss7_info;
-				sngss7_info->peer_data = peer_info;
+					/* make each one of us aware of the native bridge */
+					peer_info->peer_data = sngss7_info;
+					sngss7_info->peer_data = peer_info;
 
-				/* flush our own queue */
-				sngss7_flush_queue(sngss7_info->event_queue);
+					/* flush our own queue */
+					sngss7_flush_queue(sngss7_info->event_queue);
 
-				/* Go to up until release comes, note that state processing is done different and much simpler when there is a peer,
-				   We can't go to UP state right away yet though, so do not set the state to UP here, wait until the end of this function
-                   because moving from one state to another causes the ftdmchan->usrmsg structure to be wiped 
-				   and we still need those variables for further IAM processing */
-				native_going_up = FTDM_TRUE;
+					/* Go to up until release comes, note that state processing is done different and much simpler when there is a peer,
+					   We can't go to UP state right away yet though, so do not set the state to UP here, wait until the end of this function
+					   because moving from one state to another causes the ftdmchan->usrmsg structure to be wiped 
+					   and we still need those variables for further IAM processing */
+					native_going_up = FTDM_TRUE;
+				}
 			}
 		}
 	}