Skip to content

Commit fbf3c0b

Browse files
committed
dialog: avoid clearing locked_by after final db cleanup unref
The DB cleanup path temporarily sets locked_by, calls unref_dlg_unsafe(), and then clears the field again. If that unref drops the last reference, the dialog is destroyed before the final assignment, so the reset writes into freed memory. Only clear locked_by when another reference still exists.
1 parent aca9a9a commit fbf3c0b

1 file changed

Lines changed: 4 additions & 3 deletions

File tree

modules/dialog/dlg_db_handler.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1639,7 +1639,7 @@ void dialog_update_db(unsigned int ticks, void *do_lock)
16391639
struct dlg_entry *entry;
16401640
struct dlg_cell * cell,*next_cell;
16411641
unsigned char on_shutdown;
1642-
int callee_leg,ins_done=0;
1642+
int callee_leg, ins_done=0, reset_locked_by;
16431643
static query_list_t *ins_list = NULL;
16441644

16451645
db_key_t insert_keys[DIALOG_TABLE_TOTAL_COL_NO] = {
@@ -1697,9 +1697,11 @@ void dialog_update_db(unsigned int ticks, void *do_lock)
16971697
/* mark it as deleted so as we don't deal with it later */
16981698
cell->flags |= DLG_FLAG_DB_DELETED;
16991699
/* timer is done with this dialog */
1700+
reset_locked_by = (cell->ref > 1);
17001701
cell->locked_by = process_no;
17011702
unref_dlg_unsafe(cell,1,entry);
1702-
cell->locked_by = 0;
1703+
if (reset_locked_by)
1704+
cell->locked_by = 0;
17031705
cell=next_cell;
17041706
continue;
17051707
}
@@ -2514,4 +2516,3 @@ mi_response_t *mi_restore_dlg_db(const mi_params_t *params,
25142516
else
25152517
return init_mi_result_ok();
25162518
}
2517-

0 commit comments

Comments
 (0)