Summary:ASTERISK-15010: [patch] asterisk crashes when there are no RTP port left
Reporter:Johann Steinwendtner (steinwej)Labels:
Date Opened:2009-10-19 10:51:28Date Closed:2009-11-06 11:02:15.000-0600
Versions:Frequency of
Environment:Attachments:( 0) gdb.asterisk
( 1) no_RTP.diff
Description:To reproduce in the lab I changed sip.conf to consume a lot of UDP ports:



I also configured a sip connection to a different system.

Asterisk 1.4:
The first call (SIP ATA - calls SIP trunk) goes through.
The second call is aborted. Asterisk behaves good.
[Oct 19 17:26:24] ERROR[1976]: rtp.c:1965 ast_rtp_new_with_bindaddr: No RTP ports remaining. Can't setup media stream for this call.
[Oct 19 17:26:24] WARNING[1976]: chan_sip.c:4497 sip_alloc: Unable to create RTP audio and video session: Address already in use
[Oct 19 17:26:24] ERROR[1976]: chan_sip.c:16076 sip_request_call: Unable to build sip pvt data for 'sip-test-t38/01229922888w' (Out of memory or socket error)
[Oct 19 17:26:24] WARNING[1976]: app_dial.c:1183 dial_exec_full: Unable to create channel of type 'SIP' (cause 42 - Switching equipment congestion)

But asterisk 1.6.0:
First call goes through.
But the second call crashes the system.
Comments:By: Johann Steinwendtner (steinwej) 2009-10-19 10:58:42

If you need anything in addition, please let me know. But I think it can be reproduced everytime.

By: Leif Madsen (lmadsen) 2009-10-21 09:49:13

Thanks for the information! I don't think there is anything else required at this time.

By: Johann Steinwendtner (steinwej) 2009-10-21 10:04:03

function sip_alloc: I think it is wrong to call ast_free for the pvt struct. if the rtp port allocation fails.

By: Elazar Broad (ebroad) 2009-10-21 11:52:05

Did you test this patch?

By: Johann Steinwendtner (steinwej) 2009-10-22 00:53:15

Yes I did test it in the lab. (I wouldn't dare)
However, the uploaded patch is incomplete. There is an ast_free() at the beginning of sip_alloc when ast_string_field_init() fails. This needs also be addressed.

By: Johann Steinwendtner (steinwej) 2009-10-22 01:03:17

I would also consider this as a security issue. One of our customer caused this kind of crash.

By: Digium Subversion (svnbot) 2009-11-06 11:02:14.000-0600

Repository: asterisk
Revision: 228415

U   branches/1.6.0/channels/chan_sip.c

r228415 | file | 2009-11-06 11:02:13 -0600 (Fri, 06 Nov 2009) | 7 lines

Fix a crash caused by freeing a dialog directly instead of using dialog_unref.

(closes issue ASTERISK-15010)
Reported by: steinwej
     no_RTP.diff uploaded by steinwej (license 841)