chan_iax2 crashes on nonexistent fr->callno (patch available)

I patched the source, here's the debdiff.
This is my first patch, so I hope I've done it well. Any comment/suggestion will be very useful.

Changed karmic to karmic-proposed and added a '#' before LP number.

ubuntu-sru ACK.

Package uploaded.

I updated lucid package too, by adding the old patches (already in karmic) and the new one that fixes this bug.

This bug was fixed in the package asterisk - 1:1.6.2.0~rc2-0ubuntu2

---------------
asterisk (1:1.6.2.0~rc2-0ubuntu2) lucid; urgency=low

  [ Dave Walker (Daviey) ]
  * SECURITY UPDATE: ACL not respected on SIP INVITE (LP: #491632).
    - debian/patches/AST-2009-007: Additional check in channels/chan_sip.c to
      check ACL for handling SIP INVITEs. This blocks calls on networks
      intended to be prohibited, by configuration. Based on upstream patch.
    - AST-2009-007
    - CVE-2009-3723
  * SECURITY UPDATE: SIP responses expose valid usernames (LP: #491637).
    - debian/patches/AST-2009-008: Sanitise certain return of REGISTER message
      to stop a specially crafted series of requests returning valid usernames.
      Based on upstream patch.
    - AST-2009-008
    - CVE-2009-3727
  * SECURITY UPDATE: RTP Remote Crash Vulnerability (LP: #493555).
    - debian/patches/AST-2009-010: Stops Asterisk from crashing when an RTP
      comfort noise payload containing 24 bytes or greater is recieved.
    - AST-2009-010
    - CVE-2009-4055

  [ Roberto D'Auria ]
  * debian/patches/iax2-heavy-traffic-fix: Stops asterisk crashing on
    heavy traffic on iax2 channel, editing channels/chan_iax2.c.
    Based on upstream patch. (LP: #501116)
 -- Roberto D'Auria <email address hidden> Wed, 30 Dec 2009 14:49:24 +0100

Accepted into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Thanks Scott. They have not yet hit the mirrors, but I have downloaded the .debs from LP and begun testing. The patch is correct and there does not appear to be build regressions, but I will continue testing and post back later.

For anyone else that wants to test, the problem is a race condition, but I did work out a procedure for triggering it somewhat consistently:

1. Set up 2 asterisk servers, Server A and Server B (the affected server). Ideally the servers should be far enough away on the network (in my setup, they're 90ms RTT from each other).
2. Register Twinkle with Server A.
3. Set up a dial plan that allows Twinkle to call Server B via Server A with Dial(IAX2/serverb/s,60). The endpoint on Server B must pick up immediately, for example Answer() and Playback(tt-weasels).
4. Dial the endpoint with Twinkle, then hang up.
5. Rapidly toggle between F12 (redial) and Esc (hang up).
6. Server B should eventually segfault if unpatched, but should not if patched.

The karmic-proposed packages have been running for the work week in production without a problem, so I can confirm the patched version as verified. Thank you.

This bug was fixed in the package asterisk - 1:1.6.2.0~rc2-0ubuntu1.2

---------------
asterisk (1:1.6.2.0~rc2-0ubuntu1.2) karmic-proposed; urgency=low

  * debian/patches/iax2-heavy-traffic-fix: Stops asterisk crashing on
    heavy traffic on iax2 channel, editing channels/chan_iax2.c.
    Based on upstream patch. (LP: #501116)
 -- Roberto D'Auria <email address hidden> Tue, 29 Dec 2009 22:42:00 +0100

Bug was fixed as part of #15609, but unrelated to it. Therefore this is actually fixed in Asterisk, so the bug does not need to be tracked.