From 9fdc04e4053fec0ec85e5095ca432e22b4f3aeb6 Mon Sep 17 00:00:00 2001
From: MelwareDE <armin@melware.de>
Date: Wed, 5 Oct 2011 09:56:42 +0000
Subject: [PATCH] Error in 'capidev_acquire_locks_from_thread_context' for
 asterisk >= 1.8. ast_channel_unlock was called after ast_channel_unref. In
 case ast_channel_unref released channel memory this resulted in access to
 already freed memory area

---
 chan_capi.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/chan_capi.c b/chan_capi.c
index c40f1fe..87205ae 100644
--- a/chan_capi.c
+++ b/chan_capi.c
@@ -5729,10 +5729,11 @@ static struct ast_channel* capidev_acquire_locks_from_thread_context(struct capi
 	cc_mutex_lock(&i->lock);
 	owner = i->owner;
 	if (likely(owner != 0)) {
+		struct ast_channel *ref_owner = owner;
+
 		ast_channel_ref (owner);
 		cc_mutex_unlock(&i->lock);
 		ast_channel_lock(owner);
-		ast_channel_unref (owner);
 		cc_mutex_lock(&i->lock);
 		if (unlikely(i->owner == 0)) {
 			cc_mutex_unlock (&i->lock);
@@ -5740,6 +5741,7 @@ static struct ast_channel* capidev_acquire_locks_from_thread_context(struct capi
 			cc_mutex_lock (&i->lock);
 			owner = 0;
 		}
+		ast_channel_unref (ref_owner);
 	}
 #else
 	for (;;) {