Summary:ASTERISK-05896: [patch] socket_read(), trying to use frame that was free().
Reporter:Dmytro Mishchenko (arkadia)Labels:
Date Opened:2005-12-23 01:34:39.000-0600Date Closed:2006-02-19 22:59:45.000-0600
Versions:Frequency of
Environment:Attachments:( 0) backtr.txt
( 1) bug6054-iax2_dont_deref_freed_frame.patch
Description:According trace the crash is in fr.ts = duped_fr->ts; code.
Here is the context:
duped_fr = iaxfrdup2(&fr);
if (duped_fr) {
       schedule_delivery(duped_fr, updatehistory, 0);
       fr.ts = duped_fr->ts;

Analyzing this condition I see that there is a chance for the frame to be free() in schedule_delivery(). Something is wrong in this logic.
Comments:By: Dmytro Mishchenko (arkadia) 2005-12-23 04:17:08.000-0600

Sorry its not a 1.2 branch. Its Aug 15 2005 HEAD.
But comparing with latest 1.2 branch this code remains the same. It is 13 lines above the end of socket_read().

By: Dmytro Mishchenko (arkadia) 2005-12-26 02:26:51.000-0600

Today I made a test with latest from 1.2 branch and got crash at the same place.

By: Steve Davies . (stevedavies) 2005-12-29 23:22:11.000-0600


Looks like my code, affected I think by some subsequent changes.

I'm not convinced this error is actually the cause of your crash, but it should be fixed anyway.

Please try the attached patch.  (bug6054-iax2_dont_deref_freed_frame.patch)

Bug marshals - irrespective of whether this fixes arkardia's crash or not, this patch should go in.


By: Dmytro Mishchenko (arkadia) 2005-12-30 00:17:40.000-0600

This patch fix the problem. Thanks.

Locally I did nearly the same changes, but I was not sure about the logic you've added to schedule_delivery() for updating ts.

By: Steve Davies . (stevedavies) 2005-12-30 00:55:19.000-0600


Excuse the vague question, but what's different about your box or Asterisk build?

Its not right, but generally you will get away with referencing memory recently freed...


By: Dmytro Mishchenko (arkadia) 2005-12-31 06:07:50.000-0600

No difference. Just regular asterisk with some quick fixes for bugs that I'm reporting but still not officially resolved.

If it not a right logic may be somebody can comment this code and explain proper behavior?

By: Clod Patry (junky) 2006-01-01 08:57:47.000-0600

Since stevedavies'patch fixed his issue.

By: Matt O'Gorman (mogorman) 2006-01-12 15:10:38.000-0600

can anyone else confirm that this patch solves the issue?

By: Olle Johansson (oej) 2006-02-02 01:34:20.000-0600

Please confirm if the patch fixes the issue or not. We need to move on with this patch.

Any more information?


By: Dmytro Mishchenko (arkadia) 2006-02-10 08:45:19.000-0600

I'm not able to reproduce original issue. It happens accidently. If you follow current code you'll see that there is a chance to use frame that was free().
With the patch it suppose to be fixed.
But I don't completely understand changes made for schedule_delivery() so I can't confirm that this patch is correct. Let some IAX protocol guru look on this code.

By: Mark Spencer (markster) 2006-02-19 22:59:27.000-0600

I think you've found the root cause, but it's *much* deeper than this.  There are *so many* places where the jitter buffer causes us to access freed memory.  Anyway I think i've got them all, and i'll try to notify iax2 jitter buffer issue people to update their code.