• Richard Mudgett's avatar
    Crash if NFAS swaps D channels on a call with an active timer. · 2867fc71
    Richard Mudgett authored
    If a Q.931 call record related timer is started on one NFAS D channel
    expires after NFAS swaps to another D channel, then libpri could crash.
    For example:
    1) Hangup a call.
    1a) Send a DISCONNECT.
    1b) Start the T305 retransmit timer on the current D channel.
    2) The RELEASE comes in on another D channel.
    2a) The found call record switches its assignment to the new D channel.
    2b) Attempt to stop T305.  Unfortunately, the timer was started on another
        D channel so the attempt does not find the timer to stop.
    3) The hangup sequence continues normally and the call record is freed
       since there is only one call record pool.
    4) T305 expires on the original D channel and crashes the system when it
       uses the stale call record pointer it has saved.
    Made each D channel timer pool have a unique range of valid timer
    identifiers.  If a given timer identifier is not in the range for the
    current NFAS D channel, then search the D channel group for the original D
    JIRA SWP-2721
    git-svn-id: https://origsvn.digium.com/svn/libpri/branches/1.4@2202 2fbb986a-6c06-0410-b554-c9c1f0a7f128
prisched.c 8.82 KB