From cdfbc02df164a9bc49e23900fae66e696c4623aa Mon Sep 17 00:00:00 2001
From: Kevin Harwell <kharwell@digium.com>
Date: Wed, 6 Nov 2013 21:58:17 +0000
Subject: [PATCH] app_queue: crash if first agent is "busy"

If the first agent/member (via CLI "queue show") in a queue is "busy" (dnd,
circuit busy, etc...) and no agents answered then app_queue would crash.
This occurred because while the calling of agent(s) remained valid the channel
on "busy" agent would be set to NULL and then later dereferenced upon a second
"rna" function call.  The original intention of the code is to have only valid
"call attempt" objects (channels != NULL) checked while attempting to call
agent(s).  It does this by building a "call_next" list of valid "call attempt"
objects.  In the case of the "busy" agent subsequent builds of the valid "call
attempt" list would sometimes include (the case mentioned above) an invalid
"call attempt" object.

The fix was to make sure the "call attempt" list was appropriately built on
every iteration.  A NULL sanity check was also added at the original offending
spot of the crash just in case another one slipped by somehow.

(closes issue ASTERISK-22644)
Reported by: Marco Signorini
Review: https://reviewboard.asterisk.org/r/2983/
........

Merged revisions 402517 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@402518 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 apps/app_queue.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/app_queue.c b/apps/app_queue.c
index 522c602c19..a1e495e6b6 100644
--- a/apps/app_queue.c
+++ b/apps/app_queue.c
@@ -4467,6 +4467,8 @@ static struct callattempt *wait_for_answer(struct queue_ent *qe, struct callatte
 						}
 						prev = o;
 					}
+				} else if (prev) {
+					prev->call_next = NULL;
 				}
 				numlines++;
 			}
@@ -4927,7 +4929,9 @@ skip_frame:;
 
 	if (!*to) {
 		for (o = start; o; o = o->call_next) {
-			rna(orig, qe, o->chan, o->interface, o->member->membername, 1);
+			if (o->chan) {
+				rna(orig, qe, o->chan, o->interface, o->member->membername, 1);
+			}
 		}
 
 		publish_dial_end_event(qe->chan, outgoing, NULL, "NOANSWER");