From fa2072903238ddb8dbba7d75ccf70edb36581f36 Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Tue, 24 Nov 2015 12:44:53 -0600 Subject: [PATCH] Audit improper usage of scheduler exposed by 5c713fdf18f. channels/chan_iax2.c: * Initialize struct chan_iax2_pvt scheduler ids earlier because of iax2_destroy_helper(). channels/chan_sip.c: channels/sip/config_parser.c: * Fix initialization of scheduler id struct members. Some off nominal paths had 0 as a scheduler id to be destroyed when it was never started. chan_skinny.c: * Fix some scheduler id comparisons that excluded the valid 0 id. channel.c: * Fix channel initialization of the video stream scheduler id. pbx_dundi.c: * Fix channel initialization of the packet retransmission scheduler id. ASTERISK-25476 Change-Id: I07a3449f728f671d326a22fcbd071f150ba2e8c8 --- channels/chan_iax2.c | 15 ++++++++------- channels/chan_sip.c | 6 ++++++ channels/chan_skinny.c | 8 ++++---- channels/sip/config_parser.c | 9 ++++++--- main/channel.c | 1 + pbx/pbx_dundi.c | 1 + 6 files changed, 26 insertions(+), 14 deletions(-) diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 42ccbd5fdb..af44de96c6 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -2236,6 +2236,14 @@ static struct chan_iax2_pvt *new_iax(struct ast_sockaddr *addr, const char *host return NULL; } + tmp->pingid = -1; + tmp->lagid = -1; + tmp->autoid = -1; + tmp->authid = -1; + tmp->initid = -1; + tmp->keyrotateid = -1; + tmp->jbid = -1; + if (ast_string_field_init(tmp, 32)) { ao2_ref(tmp, -1); tmp = NULL; @@ -2243,18 +2251,11 @@ static struct chan_iax2_pvt *new_iax(struct ast_sockaddr *addr, const char *host } tmp->prefs = prefs_global; - tmp->pingid = -1; - tmp->lagid = -1; - tmp->autoid = -1; - tmp->authid = -1; - tmp->initid = -1; - tmp->keyrotateid = -1; ast_string_field_set(tmp,exten, "s"); ast_string_field_set(tmp,host, host); tmp->jb = jb_new(); - tmp->jbid = -1; jbconf.max_jitterbuf = maxjitterbuffer; jbconf.resync_threshold = resyncthreshold; jbconf.max_contig_interp = maxjitterinterps; diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 158dc7b181..6cfb598795 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -1709,6 +1709,7 @@ static int publish_expire(const void *data) ast_assert(esc != NULL); ao2_unlink(esc->compositor, esc_entry); + esc_entry->sched_id = -1; ao2_ref(esc_entry, -1); return 0; } @@ -1741,6 +1742,11 @@ static struct sip_esc_entry *create_esc_entry(struct event_state_compositor *esc /* Bump refcount for scheduler */ ao2_ref(esc_entry, +1); esc_entry->sched_id = ast_sched_add(sched, expires_ms, publish_expire, esc_entry); + if (esc_entry->sched_id == -1) { + ao2_ref(esc_entry, -1); + ao2_ref(esc_entry, -1); + return NULL; + } /* Note: This links the esc_entry into the ESC properly */ create_new_sip_etag(esc_entry, 0); diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c index 6f56f732e7..707ab02c5f 100644 --- a/channels/chan_skinny.c +++ b/channels/chan_skinny.c @@ -5548,12 +5548,12 @@ static void setsubstate(struct skinny_subchannel *sub, int state) skinny_locksub(sub); - if (sub->dialer_sched) { + if (-1 < sub->dialer_sched) { skinny_sched_del(sub->dialer_sched, sub); sub->dialer_sched = -1; } - if (state != SUBSTATE_RINGIN && sub->aa_sched) { + if (state != SUBSTATE_RINGIN && -1 < sub->aa_sched) { skinny_sched_del(sub->aa_sched, sub); sub->aa_sched = -1; sub->aa_beep = 0; @@ -6238,7 +6238,7 @@ static int handle_keypad_button_message(struct skinny_req *req, struct skinnyses } if ((sub->owner && ast_channel_state(sub->owner) < AST_STATE_UP)) { - if (sub->dialer_sched && !skinny_sched_del(sub->dialer_sched, sub)) { + if (-1 < sub->dialer_sched && !skinny_sched_del(sub->dialer_sched, sub)) { SKINNY_DEBUG(DEBUG_SUB, 3, "Sub %u - Got a digit and not timed out, so try dialing\n", sub->callid); sub->dialer_sched = -1; len = strlen(sub->exten); @@ -7075,7 +7075,7 @@ static int handle_soft_key_event_message(struct skinny_req *req, struct skinnyse case SOFTKEY_BKSPC: SKINNY_DEBUG(DEBUG_PACKET, 3, "Received SOFTKEY_BKSPC from %s, inst %d, callref %d\n", d->name, instance, callreference); - if (sub->dialer_sched && !skinny_sched_del(sub->dialer_sched, sub)) { + if (-1 < sub->dialer_sched && !skinny_sched_del(sub->dialer_sched, sub)) { size_t len; sub->dialer_sched = -1; len = strlen(sub->exten); diff --git a/channels/sip/config_parser.c b/channels/sip/config_parser.c index a3964b047d..56d04b260e 100644 --- a/channels/sip/config_parser.c +++ b/channels/sip/config_parser.c @@ -79,13 +79,17 @@ int sip_parse_register_line(struct sip_registry *reg, int default_expiry, const AST_APP_ARG(port); ); - if (!value) { + if (!reg) { return -1; } - if (!reg) { + reg->expire = -1; + reg->timeout = -1; + + if (!value) { return -1; } + ast_copy_string(buf, value, sizeof(buf)); /*! register => [peer?][transport://]user[@domain][:secret[:authuser]]@host[:port][/extension][~expiry] @@ -261,7 +265,6 @@ int sip_parse_register_line(struct sip_registry *reg, int default_expiry, const ast_string_field_set(reg, regdomain, ast_strip_quoted(S_OR(user2.domain, ""), "\"", "\"")); reg->transport = transport; - reg->timeout = reg->expire = -1; reg->portno = portnum; reg->regdomainport = domainport; reg->callid_valid = FALSE; diff --git a/main/channel.c b/main/channel.c index 013d2e281f..f5a9afade5 100644 --- a/main/channel.c +++ b/main/channel.c @@ -877,6 +877,7 @@ __ast_channel_alloc_ap(int needqueue, int state, const char *cid_num, const char ast_channel_hold_state_set(tmp, AST_CONTROL_UNHOLD); ast_channel_streamid_set(tmp, -1); + ast_channel_vstreamid_set(tmp, -1); ast_channel_fin_set(tmp, global_fin); ast_channel_fout_set(tmp, global_fout); diff --git a/pbx/pbx_dundi.c b/pbx/pbx_dundi.c index 660968f14a..ec1d2189c3 100644 --- a/pbx/pbx_dundi.c +++ b/pbx/pbx_dundi.c @@ -3264,6 +3264,7 @@ static int dundi_send(struct dundi_transaction *trans, int cmdresp, int flags, i pack = ast_calloc(1, len); if (pack) { pack->h = (struct dundi_hdr *)(pack->data); + pack->retransid = -1; if (cmdresp != DUNDI_COMMAND_ACK) { pack->retransid = ast_sched_add(sched, trans->retranstimer, dundi_rexmit, pack); pack->retrans = DUNDI_DEFAULT_RETRANS - 1;