id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	field_blocks	field_dependson	field_seealso
489	answer_preprocess() may access deallocated phone structure	Jakub Jermář	Jakub Jermář	"In `answer_preprocess()`, there is:

{{{
        if ((native_t) IPC_GET_RETVAL(answer->data) == EHANGUP) {
                /* In case of forward, hangup the forwared phone,
                 * not the originator
                 */
                mutex_lock(&answer->data.phone->lock);
                irq_spinlock_lock(&TASK->answerbox.lock, true);
                if (answer->data.phone->state == IPC_PHONE_CONNECTED) {
                        list_remove(&answer->data.phone->link);
                        answer->data.phone->state = IPC_PHONE_SLAMMED;
                }
                irq_spinlock_unlock(&TASK->answerbox.lock, true);
                mutex_unlock(&answer->data.phone->lock);
        }
}}}

The problem is that if indeed the call has been forwarded and masqueraded, the forwarder task may or may not be still alive when the final recipient decides to answer it. If the forwarder is not alive, `answer_preprocess()` will attempt to lock a mutex in unallocated memory."	defect	closed	major	0.6.0	helenos/kernel/generic	mainline	fixed	ipc