From a5b9b792ea4d28ad99f06c5c2649af4621f394f2 Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Thu, 7 May 2009 16:06:19 +0000
Subject: [PATCH] Avoid a stale pointer crash if the TE BRI TEI is removed when
 active calls exist.

Made the q931_call record point to the master D channel control structure
instead of the BRI TEI subchannel control structure.  When a layer 3 message
is sent, the current TEI subchannel control structure is used.


git-svn-id: https://origsvn.digium.com/svn/libpri/branches/1.4@790 2fbb986a-6c06-0410-b554-c9c1f0a7f128
---
 q931.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/q931.c b/q931.c
index 737c129..7c81938 100644
--- a/q931.c
+++ b/q931.c
@@ -2382,10 +2382,15 @@ static q931_call *q931_getcall(struct pri *pri, int cr, int outboundnew)
 	/* Call reference */
 	cur->cr = cr;
 	/* PRI is set to whoever called us */
-	if (pri->bri && (pri->localtype == PRI_CPE) && pri->subchannel && outboundnew)
-		cur->pri = pri->subchannel;
-	else
+	if (pri->bri && (pri->localtype == PRI_CPE)) {
+		/*
+		 * Point to the master to avoid stale pointer problems if
+		 * the TEI is removed later.
+		 */
+		cur->pri = master;
+	} else {
 		cur->pri = pri;
+	}
 
 	/* Append to end of list */
 	if (prev)
@@ -2680,7 +2685,19 @@ static int send_message(struct pri *pri, q931_call *c, int msgtype, int ies[])
 	}
 	/* Invert the logic */
 	len = sizeof(buf) - len;
-	q931_xmit(c->pri, h, len, 1);
+
+	pri = c->pri;
+	if (pri->bri && (pri->localtype == PRI_CPE)) {
+		/*
+		 * Must use the BRI subchannel structure to send with the correct TEI.
+		 * Note: If the subchannel is NULL then there is no TEI assigned and
+		 * we should not be sending anything out at this time.
+		 */
+		pri = pri->subchannel;
+	}
+	if (pri) {
+		q931_xmit(pri, h, len, 1);
+	}
 	c->acked = 1;
 	return 0;
 }