| Summary: | ASTERISK-15010: [patch] asterisk crashes when there are no RTP port left | ||
| Reporter: | Johann Steinwendtner (steinwej) | Labels: | |
| Date Opened: | 2009-10-19 10:51:28 | Date Closed: | 2009-11-06 11:02:15.000-0600 |
| Priority: | Blocker | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) gdb.asterisk ( 1) no_RTP.diff | |
| Description: | To reproduce in the lab I changed sip.conf to consume a lot of UDP ports: videosupport=yes t38pt_udptl=yes rtp.conf: rtpstart=8000 rtpend=8006 I also configured a sip connection to a different system. Asterisk 1.4: The first call (SIP ATA - calls SIP trunk) goes through. The second call is aborted. Asterisk behaves good. [Oct 19 17:26:24] ERROR[1976]: rtp.c:1965 ast_rtp_new_with_bindaddr: No RTP ports remaining. Can't setup media stream for this call. [Oct 19 17:26:24] WARNING[1976]: chan_sip.c:4497 sip_alloc: Unable to create RTP audio and video session: Address already in use [Oct 19 17:26:24] ERROR[1976]: chan_sip.c:16076 sip_request_call: Unable to build sip pvt data for 'sip-test-t38/01229922888w' (Out of memory or socket error) [Oct 19 17:26:24] WARNING[1976]: app_dial.c:1183 dial_exec_full: Unable to create channel of type 'SIP' (cause 42 - Switching equipment congestion) But asterisk 1.6.0: First call goes through. But the second call crashes the system. | ||
| Comments: | By: Johann Steinwendtner (steinwej) 2009-10-19 10:58:42 If you need anything in addition, please let me know. But I think it can be reproduced everytime. By: Leif Madsen (lmadsen) 2009-10-21 09:49:13 Thanks for the information! I don't think there is anything else required at this time. By: Johann Steinwendtner (steinwej) 2009-10-21 10:04:03 function sip_alloc: I think it is wrong to call ast_free for the pvt struct. if the rtp port allocation fails. By: Elazar Broad (ebroad) 2009-10-21 11:52:05 Did you test this patch? By: Johann Steinwendtner (steinwej) 2009-10-22 00:53:15 Yes I did test it in the lab. (I wouldn't dare) However, the uploaded patch is incomplete. There is an ast_free() at the beginning of sip_alloc when ast_string_field_init() fails. This needs also be addressed. By: Johann Steinwendtner (steinwej) 2009-10-22 01:03:17 I would also consider this as a security issue. One of our customer caused this kind of crash. By: Digium Subversion (svnbot) 2009-11-06 11:02:14.000-0600 Repository: asterisk Revision: 228415 U branches/1.6.0/channels/chan_sip.c ------------------------------------------------------------------------ r228415 | file | 2009-11-06 11:02:13 -0600 (Fri, 06 Nov 2009) | 7 lines Fix a crash caused by freeing a dialog directly instead of using dialog_unref. (closes issue ASTERISK-15010) Reported by: steinwej Patches: no_RTP.diff uploaded by steinwej (license 841) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=228415 | ||