| Summary: | ASTERISK-25057: res_pjsip_pubsub: Crash in send_notify due to invalid root pointer in sub_tree | ||||
| Reporter: | Matt Jordan (mjordan) | Labels: | |||
| Date Opened: | 2015-05-04 21:33:50 | Date Closed: | 2015-05-07 15:11:52 | ||
| Priority: | Major | Regression? | |||
| Status: | Closed/Complete | Components: | Resources/res_pjsip_pubsub | ||
| Versions: | 13.3.2 | Frequency of Occurrence | |||
| Related Issues: |
| ||||
| Environment: | Attachments: | ||||
| Description: | Note that we don't have the best backtraces for this crash, although the {{core}} file displays exactly what the problem is.
{code} (gdb) bt full #0 0x047ab62e in send_notify (sub_tree=0x9298fe4, force_full_state=0) at res_pjsip_pubsub.c:2062 evsub = 0x0 tdata = 0x344d660 #1 0x047ab911 in ast_sip_subscription_notify (sub=0x998be34, notify_data=0xb14620f4, terminate=0) at res_pjsip_pubsub.c:2154 res = 134840417 #2 0x0114b524 in notify_task (obj=0x9d601afc) at res_pjsip_exten_state.c:240 task_data = 0x9d601afc data = {body_type = 0x114beee "ast_sip_exten_state_data", body_data = 0x9d601afc} #3 0x081f50bc in ast_taskprocessor_execute () No symbol table info available. #4 0x081fd13d in execute_tasks () No symbol table info available. #5 0x081f50bc in ast_taskprocessor_execute () No symbol table info available. #6 0x081fba29 in threadpool_execute () No symbol table info available. #7 0x081fce60 in worker_active () No symbol table info available. #8 0x081fcc20 in worker_start () No symbol table info available. #9 0x0820725c in dummy_start () No symbol table info available. #10 0x009f8b39 in start_thread () from /lib/libpthread.so.0 No symbol table info available. #11 0x00908c2e in clone () from /lib/libc.so.6 No symbol table info available. (gdb) {code} Looking at the code in {{res_pjsip_pubsub.c:2062}}, we don't have anything quite obvious that would cause the crash. Somewhat more likely is what we see on the next line: {code} 2061: pjsip_evsub *evsub = sub_tree->evsub; 2062: pjsip_tx_data *tdata; 2063: 2064: if (ast_shutdown_final() && sub_tree->root->subscription_state == PJSIP_EVSUB_STATE_TERMINATED && sub_tree->persistence) { 2065: return 0; 2066: } {code} Simply declaring {{tdata}} on the stack shouldn't do anything. Dereferencing {{sub_tree}} is more likely our problem. The core file shows the following: {code} (gdb) print *sub_tree $1 = {endpoint = 0x0, serializer = 0x0, role = AST_SIP_SUBSCRIBER, persistence = 0x0, evsub = 0x0, dlg = 0x0, notification_batch_interval = 0, notify_sched_id = 1929405545, send_scheduled_notify = 1885302889, root = 0x69766f72, is_list = 1601332580, next = {next = 0x68}} (gdb) print *sub_tree->root Cannot access memory at address 0x69766f72 (gdb) {code} So that's no good. | ||||
| Comments: | By: JoshE (n8ideas) 2016-04-07 14:30:01.848-0500 Backtrace attached. | ||||