| Summary: | ASTERISK-05896: [patch] socket_read(), trying to use frame that was free(). | ||
| Reporter: | Dmytro Mishchenko (arkadia) | Labels: | |
| Date Opened: | 2005-12-23 01:34:39.000-0600 | Date Closed: | 2006-02-19 22:59:45.000-0600 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Core/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) backtr.txt ( 1) bug6054-iax2_dont_deref_freed_frame.patch | |
| Description: | According trace the crash is in fr.ts = duped_fr->ts; code. Here is the context: duped_fr = iaxfrdup2(&fr); if (duped_fr) { schedule_delivery(duped_fr, updatehistory, 0); fr.ts = duped_fr->ts; } Analyzing this condition I see that there is a chance for the frame to be free() in schedule_delivery(). Something is wrong in this logic. | ||
| Comments: | By: Dmytro Mishchenko (arkadia) 2005-12-23 04:17:08.000-0600 Sorry its not a 1.2 branch. Its Aug 15 2005 HEAD. But comparing with latest 1.2 branch this code remains the same. It is 13 lines above the end of socket_read(). By: Dmytro Mishchenko (arkadia) 2005-12-26 02:26:51.000-0600 Today I made a test with latest from 1.2 branch and got crash at the same place. By: Steve Davies . (stevedavies) 2005-12-29 23:22:11.000-0600 Hi, Looks like my code, affected I think by some subsequent changes. I'm not convinced this error is actually the cause of your crash, but it should be fixed anyway. Please try the attached patch. (bug6054-iax2_dont_deref_freed_frame.patch) Bug marshals - irrespective of whether this fixes arkardia's crash or not, this patch should go in. Steve By: Dmytro Mishchenko (arkadia) 2005-12-30 00:17:40.000-0600 This patch fix the problem. Thanks. Locally I did nearly the same changes, but I was not sure about the logic you've added to schedule_delivery() for updating ts. By: Steve Davies . (stevedavies) 2005-12-30 00:55:19.000-0600 Arkadia: Excuse the vague question, but what's different about your box or Asterisk build? Its not right, but generally you will get away with referencing memory recently freed... Steve By: Dmytro Mishchenko (arkadia) 2005-12-31 06:07:50.000-0600 No difference. Just regular asterisk with some quick fixes for bugs that I'm reporting but still not officially resolved. If it not a right logic may be somebody can comment this code and explain proper behavior? By: Clod Patry (junky) 2006-01-01 08:57:47.000-0600 Since stevedavies'patch fixed his issue. By: Matt O'Gorman (mogorman) 2006-01-12 15:10:38.000-0600 can anyone else confirm that this patch solves the issue? By: Olle Johansson (oej) 2006-02-02 01:34:20.000-0600 Please confirm if the patch fixes the issue or not. We need to move on with this patch. Any more information? /Housekeeping By: Dmytro Mishchenko (arkadia) 2006-02-10 08:45:19.000-0600 I'm not able to reproduce original issue. It happens accidently. If you follow current code you'll see that there is a chance to use frame that was free(). With the patch it suppose to be fixed. But I don't completely understand changes made for schedule_delivery() so I can't confirm that this patch is correct. Let some IAX protocol guru look on this code. By: Mark Spencer (markster) 2006-02-19 22:59:27.000-0600 I think you've found the root cause, but it's *much* deeper than this. There are *so many* places where the jitter buffer causes us to access freed memory. Anyway I think i've got them all, and i'll try to notify iax2 jitter buffer issue people to update their code. | ||