From 0c45fc4edacf324926c85774ab0e2ca466f1e7e6 Mon Sep 17 00:00:00 2001
From: Russell Bryant <russell@russellbryant.com>
Date: Sat, 6 Mar 2010 14:16:20 +0000
Subject: [PATCH] Fix a crash in SIP blind transfer handling found by an
 automated external test.

The first real test added to the external test suite found a pretty nasty crash
that occurred in Asterisk trunk.  The crash was due to a race condition between
the REFER handling and channel destruction in the channel thread.  After the
transfer has been completed, we go back to the transferrer channel and try to
lock it so we can fire off a CEL event.  However, there was no guarantee that
the channel was still around at that point since it's racing against the channel
thread.

Since ast_channel is a reference counted object, the fix is simple.  The code
unlocks the transferrer channel before finally completing the transfer with
an async goto.  At this point the channel thread is going to start call tear
down and the channel will eventually be destroyed.  To ensure that the channel
is valid when we want to fire off the CEL event, increase the channel's
reference count.


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@251137 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 channels/chan_sip.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 793a31b3cf..b8f93b5835 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -20089,6 +20089,11 @@ static int handle_request_refer(struct sip_pvt *p, struct sip_request *req, int
 	/* Must release lock now, because it will not longer
 	   be accessible after the transfer! */
 	*nounlock = 1;
+	/*
+	 * Increase ref count so that we can delay channel destruction until after
+	 * we get a chance to fire off some events.
+	 */
+	ast_channel_ref(current.chan1);
 	ast_channel_unlock(current.chan1);
 
 	/* Connect the call */
@@ -20113,6 +20118,7 @@ static int handle_request_refer(struct sip_pvt *p, struct sip_request *req, int
 		transmit_notify_with_sipfrag(p, seqno, "503 Service Unavailable (can't handle one-legged xfers)", TRUE);
 		ast_clear_flag(&p->flags[0], SIP_GOTREFER);	
 		append_history(p, "Xfer", "Refer failed (only bridged calls).");
+		ast_channel_unref(current.chan1);
 		return -1;
 	}
 	ast_set_flag(&p->flags[0], SIP_DEFER_BYE_ON_TRANSFER);	/* Delay hangup */
@@ -20163,6 +20169,9 @@ static int handle_request_refer(struct sip_pvt *p, struct sip_request *req, int
 		ast_clear_flag(&p->flags[0], SIP_GOTREFER);	
 		res = -1;
 	}
+
+	ast_channel_unref(current.chan1);
+
 	return res;
 }