|Summary:||ASTERISK-21211: chan_iax2 - unprotected access of iaxs[peer->callno] potentially results in segfault|
|Reporter:||Jaco Kroon (jkroon)||Labels:|
|Date Opened:||2013-03-06 11:52:46.000-0600||Date Closed:||2015-04-08 07:00:36|
|Environment:||Attachments:||( 0) asterisk-11.2.1-iax2_poke-segfault.diff|
|Description:||chan_iax2.c, specifically in function iax2_poke_peer, a completely unprotected access to iaxs[peer->callno] is made. Specifically I had a segfault trigger on line 12230, an access to iaxs[peer->callno] - the second in a sequence, so peer->callno can definitely change between the two
It is my understanding that:
1. peer->callno can change outside of the function , thus it's probably unsafe to use the raw value as per lines 12223, 12229 and 12230. I believe this should be callno, and not peer->callno. Please correct me if I'm wrong. This can either happen by us calling iax2_destroy, or simply another thread also scheduling a POKE on the same peer.
2. All reads and writes to iaxs[X] should be protected by a lock of iaxsl[X]. Lines 12229 and 12230 violates this currently.
I suspect my crash resulted from a sequence where a POKE was in process of being scheduled, another thread then called iax2_poke_peer for the same peer, called iax2_destroy on the iaxs busy being set up, and *boom* major catastrophe.
|Comments:||By: Jaco Kroon (jkroon) 2013-03-06 12:04:46.923-0600|
By: Y Ateya (yateya) 2015-04-05 09:05:35.428-0500
@Jaco Kroon: Were you able to re-produce this problem?
The patch seems reasonable. Could you please create review board with this patch?
By: Jaco Kroon (jkroon) 2015-04-07 06:11:05.425-0500
Haven't been running asterisk without this patch since I submitted it. Wouldn't know, but I would expect a deadlock or some other badness if this patch became superfluous.
By: Matt Jordan (mjordan) 2015-04-08 07:00:24.359-0500
Merged in 11/13/trunk. Thanks for the patch/bug fix!