Avoid a stale pointer crash if the TE BRI TEI is removed when active calls exist.

Made the q931_call record point to the master D channel control structure instead of the BRI TEI subchannel control structure. When a layer 3 message is sent, the current TEI subchannel control structure is used. git-svn-id: https://origsvn.digium.com/svn/libpri/branches/1.4@790 2fbb986a-6c06-0410-b554-c9c1f0a7f128
2009-05-07 16:06:19 +00:00
parent c430cba165
commit a5b9b792ea
1 changed files with 21 additions and 4 deletions
--- a/q931.c
+++ b/q931.c
@@ -2382,10 +2382,15 @@ static q931_call *q931_getcall(struct pri *pri, int cr, int outboundnew)
 	/* Call reference */
 	cur->cr = cr;
 	/* PRI is set to whoever called us */
-	if (pri->bri && (pri->localtype == PRI_CPE) && pri->subchannel && outboundnew)
-		cur->pri = pri->subchannel;
-	else
+	if (pri->bri && (pri->localtype == PRI_CPE)) {
+		/*
+		 * Point to the master to avoid stale pointer problems if
+		 * the TEI is removed later.
+		 */
+		cur->pri = master;
+	} else {
 		cur->pri = pri;
+	}

 	/* Append to end of list */
 	if (prev)
@@ -2680,7 +2685,19 @@ static int send_message(struct pri *pri, q931_call *c, int msgtype, int ies[])
 	}
 	/* Invert the logic */
 	len = sizeof(buf) - len;
-	q931_xmit(c->pri, h, len, 1);
+
+	pri = c->pri;
+	if (pri->bri && (pri->localtype == PRI_CPE)) {
+		/*
+		 * Must use the BRI subchannel structure to send with the correct TEI.
+		 * Note: If the subchannel is NULL then there is no TEI assigned and
+		 * we should not be sending anything out at this time.
+		 */
+		pri = pri->subchannel;
+	}
+	if (pri) {
+		q931_xmit(pri, h, len, 1);
+	}
 	c->acked = 1;
 	return 0;
 }