| Summary: | ASTERISK-16039: [patch] [regression] Segmentation fault in check_rtp_timeout | ||
| Reporter: | under (under) | Labels: | |
| Date Opened: | 2010-05-01 05:59:15 | Date Closed: | 2010-05-19 14:25:21 |
| Priority: | Critical | Regression? | Yes |
| Status: | Closed/Complete | Components: | Channels/chan_sip/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) check_rtp_timeout.diff | |
| Description: | From gdb: #0 0x2b233d07 in check_rtp_timeout (dialog=0x378ef268, t=1272709274) at asterisk/channels/chan_sip.c:20395 20395 ast_log(LOG_NOTICE, "Disconnecting call '%s' for lack of RTP activity in %ld seconds\n", (gdb) bt #0 0x2b233d07 in check_rtp_timeout (dialog=0x378ef268, t=1272709274) at asterisk/channels/chan_sip.c:20395 #1 0x2b2340f5 in do_monitor (data=0x0) at asterisk/channels/chan_sip.c:20469 #2 0x0816e142 in dummy_start (data=0x294e96e8) at asterisk/main/utils.c:861 #3 0x282176ff in pthread_getprio () from /lib/libthr.so.3 #4 0x00000000 in ?? () (gdb) fr 0 #0 0x2b233d07 in check_rtp_timeout (dialog=0x378ef268, t=1272709274) at asterisk/channels/chan_sip.c:20395 20395 ast_log(LOG_NOTICE, "Disconnecting call '%s' for lack of RTP activity in %ld seconds\n", (gdb) p dialog $2 = (struct sip_pvt *) 0x378ef268 (gdb) p dialog->owner $4 = (struct ast_channel *) 0x0 (gdb) p dialog->owner->name Cannot access memory at address 0xc ****** ADDITIONAL INFORMATION ****** This regression has been bring up into 1.6 branches, 1.4 branch (at least 1.4.21) has correct handling of RTP timeout. 1.6.2 has the same issue too according to source codes. | ||
| Comments: | By: Leif Madsen (lmadsen) 2010-05-01 08:53:43 What is the latest version that does not exhibit this problem? It'd be nice to know approximately where the regression was introduced. By: under (under) 2010-05-01 12:55:48 I know for sure that in 1.4.21 this issue is absent because the RTP timeout checking in source code (function do_monitor()) there is exactly the same as in my patch. By: David Vossel (dvossel) 2010-05-19 13:31:55 Nice catch, this patch looks correct. I'll commit it shortly. It will only go into 1.6.2 and Trunk though now that 1.6.0 and 1.6.1 are in security fix only mode. By: Digium Subversion (svnbot) 2010-05-19 14:21:04 Repository: asterisk Revision: 264331 U trunk/channels/chan_sip.c ------------------------------------------------------------------------ r264331 | dvossel | 2010-05-19 14:21:04 -0500 (Wed, 19 May 2010) | 13 lines fixes crash in check_rtp_timeout During deadlock avoidance the sip dialog pvt is locked and unlocked. When this occurs we have no guarantee the pvt's owner is still valid. We were trying to access the pvt's owner after this without checking to see if it still existed first. (closes issue ASTERISK-16039) Reported by: under Patches: check_rtp_timeout.diff uploaded by under (license 914) Tested by: dvossel ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=264331 By: Digium Subversion (svnbot) 2010-05-19 14:25:20 Repository: asterisk Revision: 264332 _U branches/1.6.2/ U branches/1.6.2/channels/chan_sip.c ------------------------------------------------------------------------ r264332 | dvossel | 2010-05-19 14:25:20 -0500 (Wed, 19 May 2010) | 20 lines Merged revisions 264331 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ........ r264331 | dvossel | 2010-05-19 14:21:04 -0500 (Wed, 19 May 2010) | 13 lines fixes crash in check_rtp_timeout During deadlock avoidance the sip dialog pvt is locked and unlocked. When this occurs we have no guarantee the pvt's owner is still valid. We were trying to access the pvt's owner after this without checking to see if it still existed first. (closes issue ASTERISK-16039) Reported by: under Patches: check_rtp_timeout.diff uploaded by under (license 914) Tested by: dvossel ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=264332 | ||