Summary:ASTERISK-21211: chan_iax2 - unprotected access of iaxs[peer->callno] potentially results in segfault
Reporter:Jaco Kroon (jkroon)Labels:
Date Opened:2013-03-06 11:52:46.000-0600Date Closed:2015-04-08 07:00:36
Versions:11.2.1 Frequency of
Environment:Attachments:( 0) asterisk-11.2.1-iax2_poke-segfault.diff
Description:chan_iax2.c, specifically in function iax2_poke_peer, a completely unprotected access to iaxs[peer->callno] is made.  Specifically I had a segfault trigger on line 12230, an access to iaxs[peer->callno] - the second in a sequence, so peer->callno can definitely change between the two

It is my understanding that:

1.  peer->callno can change outside of the function , thus it's probably unsafe to use the raw value as per lines 12223, 12229 and 12230.  I believe this should be callno, and not peer->callno.  Please correct me if I'm wrong.  This can either happen by us calling iax2_destroy, or simply another thread also scheduling a POKE on the same peer.

2.  All reads and writes to iaxs[X] should be protected by a lock of iaxsl[X].  Lines 12229 and 12230 violates this currently.

I suspect my crash resulted from a sequence where a POKE was in process of being scheduled, another thread then called iax2_poke_peer for the same peer, called iax2_destroy on the iaxs[] busy being set up, and *boom* major catastrophe.
Comments:By: Jaco Kroon (jkroon) 2013-03-06 12:04:46.923-0600

Suggested patch.

By: Y Ateya (yateya) 2015-04-05 09:05:35.428-0500

@Jaco Kroon: Were you able to re-produce this problem?

The patch seems reasonable. Could you please create review board with this patch?

By: Jaco Kroon (jkroon) 2015-04-07 06:11:05.425-0500

Haven't been running asterisk without this patch since I submitted it.  Wouldn't know, but I would expect a deadlock or some other badness if this patch became superfluous.


By: Matt Jordan (mjordan) 2015-04-08 07:00:24.359-0500

Merged in 11/13/trunk. Thanks for the patch/bug fix!