aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormmichelson <mmichelson@f38db490-d61c-443f-a65b-d21fe96a405b>2010-04-30 20:08:15 +0000
committermmichelson <mmichelson@f38db490-d61c-443f-a65b-d21fe96a405b>2010-04-30 20:08:15 +0000
commit3722f0ac1c0777b4f85fc5899ff935ab82c564d5 (patch)
tree99fe0748670372932225c07ad84ac1e3d1c8e55c
parentd337ca36324d17c3507a9cd25b68a1c1a4dca03f (diff)
Fix potential crash from race condition due to accessing channel data without the channel locked.
In res_musiconhold.c, there are several places where a channel's stream's existence is checked prior to calling ast_closestream on it. The issue here is that in several cases, the channel was not locked while checking the stream. The result was that if two threads checked the state of the channel's stream at approximately the same time, then there could be a situation where both threads attempt to call ast_closestream on the channel's stream. The result here is that the refcount for the stream would go below 0, resulting in a crash. I have added proper channel locking to res_musiconhold.c to ensure that we do not try to check chan->stream without the channel locked. A Digium customer has been using this patch for several weeks and has not had any crashes since applying the patch. ABE-2147 git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@260345 f38db490-d61c-443f-a65b-d21fe96a405b
-rw-r--r--res/res_musiconhold.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/res/res_musiconhold.c b/res/res_musiconhold.c
index 012b8a6df..308d5220c 100644
--- a/res/res_musiconhold.c
+++ b/res/res_musiconhold.c
@@ -288,7 +288,15 @@ static int moh_files_generator(struct ast_channel *chan, void *data, int len, in
state->sample_queue += samples;
while (state->sample_queue > 0) {
+ ast_channel_lock(chan);
if ((f = moh_files_readframe(chan))) {
+ /* We need to be sure that we unlock
+ * the channel prior to calling
+ * ast_write. Otherwise, the recursive locking
+ * that occurs can cause deadlocks when using
+ * indirect channels, like local channels
+ */
+ ast_channel_unlock(chan);
state->samples += f->samples;
state->sample_queue -= f->samples;
res = ast_write(chan, f);
@@ -297,8 +305,10 @@ static int moh_files_generator(struct ast_channel *chan, void *data, int len, in
ast_log(LOG_WARNING, "Failed to write frame to '%s': %s\n", chan->name, strerror(errno));
return -1;
}
- } else
+ } else {
+ ast_channel_unlock(chan);
return -1;
+ }
}
return res;
}
@@ -1054,12 +1064,14 @@ static void local_ast_moh_stop(struct ast_channel *chan)
ast_clear_flag(chan, AST_FLAG_MOH);
ast_deactivate_generator(chan);
+ ast_channel_lock(chan);
if (chan->music_state) {
if (chan->stream) {
ast_closestream(chan->stream);
chan->stream = NULL;
}
}
+ ast_channel_unlock(chan);
}
static void moh_class_destructor(void *obj)