sskacar
-
2007-11-01
Menu
▾
▴
#34 consequtive destroy & create session prob fix
iax.c fix at iax_get_event() {
..
if (frame->final)
destroy_session(frame->session);
..
};
Quick deallocation and allocation of sessions may result in the same-memory-address use !
Therefore we cannot trust remote-sent address only.
Best bet is checking by somewhat unique properties to decide if we really intend to destroy this session.
Example Case:
- Have a call
- Dump that call and immediately request a new call (or have a incoming call request by a lesser chance)
- By considerable probability, you might get the previous memory address for the new session.
- When execution hits to this point as a result of previous call ending
(as client informs server about dumping and frees the previous session, server proccess call-dumping and eventually this point reached)
frame->session param to the destroy_session() belongs to the new & valid session !
- as a consequence many independent execution paths got broken (AV errors and such)
The fix is ( bytheway, have anyone know more reliable check value? )
if (frame->final)
if (frame->session && (frame->callno == frame->session->callno))
destroy_session(frame->session);
