sched: AST_SCHED_REPLACE_UNREF can lead to use after free of data
The data can be freed if the old object '_data' is the same object as new 'data'. Because at first the object is unreferenced which can lead to destroying it. This could happened in res_pjsip_pubsub when the publication is updated which could lead to segfault in function publish_expire. Change-Id: I0164f57c387243510bdbd2f8dcf33377b6c202da
This commit is contained in:
parent
5a6037778b
commit
da0f2ea99e
|
@ -136,11 +136,12 @@ extern "C" {
|
|||
while (id > -1 && (_res = ast_sched_del(sched, id) && _count++ < 10)) { \
|
||||
usleep(1); \
|
||||
} \
|
||||
if (!_res && _data) \
|
||||
if (!_res && _data && _data != data) \
|
||||
unrefcall; /* should ref _data! */ \
|
||||
if (_count == 10) \
|
||||
ast_log(LOG_WARNING, "Unable to cancel schedule ID %d. This is probably a bug (%s: %s, line %d).\n", id, __FILE__, __PRETTY_FUNCTION__, __LINE__); \
|
||||
refcall; \
|
||||
if (_data != data) \
|
||||
refcall; \
|
||||
id = ast_sched_add_variable(sched, when, callback, data, variable); \
|
||||
if (id == -1) \
|
||||
addfailcall; \
|
||||
|
|
Loading…
Reference in New Issue