sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data

The data can be freed if the old object '_data' is the same object as new 'data'. Because at first the object is unreferenced which can lead to destroying it. This could happened in res_pjsip_pubsub when the publication is updated which could lead to segfault in function publish_expire. Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da
2020-10-02 15:32:29 -04:00 · 2020-10-02 15:32:29 -04:00 · 728cd55cde
parent ddfb76a864
commit 728cd55cde
1 changed files with 3 additions and 2 deletions
--- a/include/asterisk/sched.h
+++ b/include/asterisk/sched.h
@ -136,11 +136,12 @@ extern "C" {
 		while (id > -1 && (_res = ast_sched_del(sched, id) && _count++ < 10)) { \
 			usleep(1); \
 		} \
-		if (!_res && _data)							\
+		if (!_res && _data && _data != data)					\
 			unrefcall;	/* should ref _data! */		\
 		if (_count == 10) \
 			ast_log(LOG_WARNING, "Unable to cancel schedule ID %d.  This is probably a bug (%s: %s, line %d).\n", id, __FILE__, __PRETTY_FUNCTION__, __LINE__); \
-		refcall; \
+		if (_data != data) \
+			refcall; \
 		id = ast_sched_add_variable(sched, when, callback, data, variable); \
 		if (id == -1)  \
 			addfailcall;	\