Summary: | ASTERISK-28743: Asterisk is crashing if the 200 OK with SDP | ||
Reporter: | sungtae kim (pchero) | Labels: | security |
Date Opened: | 2020-02-14 02:42:29.000-0600 | Date Closed: | 2020-03-25 07:31:47 |
Priority: | Major | Regression? | |
Status: | Closed/Complete | Components: | Resources/res_pjsip |
Versions: | 16.8.0 17.2.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ||
Description: | When the Asterisk receives 200 OK with SDP, the pjsip module fires a couple of callback functions.
But in some conditions, this makes a race condition and causing the crash eventually. For example, * If the outgoing call connected to the existed Bridge, the Asterisk sends a Re-Invite after receiving 200 OK. * But if the received SDP was not acceptable, the Asterisk proceeding a hangup procedure. * this 2 actions sending reinvite and doing hangup are making a race condition in the ast_sip_session_refresh(). {noformat} (gdb) where #0 0x00007f8f187f10c2 in pj_strdup (pool=0x7f8f04068e80, dst=0x7f8edc219398, src=0x0) at ../include/pj/string_i.h:40 #1 0x00007f8f1879ae84 in pjmedia_sdp_neg_modify_local_offer2 (pool=0x7f8f04068e80, neg=0x7f8f04571270, flags=1, local=0x7f8edc0a8af8) at ../src/pjmedia/sdp_neg.c:336 #2 0x00007f8f187178b0 in pjsip_inv_reinvite (inv=0x7f8f04110638, new_contact=0x0, new_offer=0x7f8edc0a8af8, p_tdata=0x7f8eaba18ba0) at ../src/pjsip-ua/sip_inv.c:3004 #3 0x00007f8ec6fcbdb1 in ast_sip_session_refresh (session=0x7f8f04097cd0, on_request_creation=0x0, on_sdp_creation=0x0, on_response=0x7f8eafdc6786 <on_topology_change_response>, method=AST_SIP_SESSION_REFRESH_METHOD_INVITE, generate_new_sdp=1, media_state=0x7f8ee801aef0) at res_pjsip_session.c:1768 #4 0x00007f8ec6fca580 in send_delayed_request (session=0x7f8f04097cd0, delay=0x7f8f04ee6020) at res_pjsip_session.c:1256 #5 0x00007f8ec6fca8e2 in invite_terminated (vsession=0x7f8f04097cd0) at res_pjsip_session.c:1355 #6 0x0000557ce3889d5a in ast_taskprocessor_execute (tps=0x7f8f042299a0) at taskprocessor.c:1237 #7 0x0000557ce3893954 in execute_tasks (data=0x7f8f042299a0) at threadpool.c:1354 #8 0x0000557ce3889d5a in ast_taskprocessor_execute (tps=0x557ce6683d30) at taskprocessor.c:1237 #9 0x0000557ce3891507 in threadpool_execute (pool=0x557ce6683a70) at threadpool.c:367 #10 0x0000557ce3893186 in worker_active (worker=0x7f8efc0014a0) at threadpool.c:1137 #11 0x0000557ce3892ef6 in worker_start (arg=0x7f8efc0014a0) at threadpool.c:1056 #12 0x0000557ce389c896 in dummy_start (data=0x7f8efc001f90) at utils.c:1249 #13 0x00007f8f16e834a4 in start_thread (arg=0x7f8eaba19700) at pthread_create.c:456 #14 0x00007f8f15744d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97 (gdb) frame 2 #2 0x00007f8f187178b0 in pjsip_inv_reinvite (inv=0x7f8f04110638, new_contact=0x0, new_offer=0x7f8edc0a8af8, p_tdata=0x7f8eaba18ba0) at ../src/pjsip-ua/sip_inv.c:3004 3004 status = pjmedia_sdp_neg_modify_local_offer2( (gdb) list 2980 2975 2976 } else switch (pjmedia_sdp_neg_get_state(inv->neg)) { 2977 2978 case PJMEDIA_SDP_NEG_STATE_NULL: 2979 pj_assert(!"Unexpected SDP neg state NULL"); 2980 status = PJ_EBUG; 2981 goto on_return; 2982 2983 case PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER: 2984 PJ_LOG(4,(inv->obj_name, 2985 "pjsip_inv_reinvite: already have an offer, new " 2986 "offer is ignored")); 2987 break; 2988 2989 case PJMEDIA_SDP_NEG_STATE_REMOTE_OFFER: 2990 status = pjmedia_sdp_neg_set_local_answer(inv->pool_prov, 2991 inv->neg, 2992 new_offer); 2993 if (status != PJ_SUCCESS) 2994 goto on_return; 2995 break; 2996 2997 case PJMEDIA_SDP_NEG_STATE_WAIT_NEGO: 2998 PJ_LOG(4,(inv->obj_name, 2999 "pjsip_inv_reinvite: SDP in WAIT_NEGO state, new " 3000 "offer is ignored")); 3001 break; 3002 3003 case PJMEDIA_SDP_NEG_STATE_DONE: 3004 status = pjmedia_sdp_neg_modify_local_offer2( 3005 inv->pool_prov, inv->neg, 3006 inv->sdp_neg_flags, new_offer); 3007 if (status != PJ_SUCCESS) 3008 goto on_return; 3009 break; 3010 } 3011 } (gdb) p inv->neg->state $30 = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER {noformat} | ||
Comments: | By: Asterisk Team (asteriskteam) 2020-02-14 02:42:52.560-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. By: Friendly Automation (friendly-automation) 2020-03-25 07:31:48.765-0500 Change 13900 merged by Joshua Colp: res_pjsip_session: Fixed wrong session termination [https://gerrit.asterisk.org/c/asterisk/+/13900|https://gerrit.asterisk.org/c/asterisk/+/13900] By: Friendly Automation (friendly-automation) 2020-03-25 07:34:40.577-0500 Change 13806 merged by Joshua Colp: res_pjsip_session: Fixed wrong session termination [https://gerrit.asterisk.org/c/asterisk/+/13806|https://gerrit.asterisk.org/c/asterisk/+/13806] By: Friendly Automation (friendly-automation) 2020-03-25 07:56:19.531-0500 Change 13898 merged by Joshua Colp: res_pjsip_session: Fixed wrong session termination [https://gerrit.asterisk.org/c/asterisk/+/13898|https://gerrit.asterisk.org/c/asterisk/+/13898] By: Friendly Automation (friendly-automation) 2020-03-25 07:56:29.719-0500 Change 13899 merged by Joshua Colp: res_pjsip_session: Fixed wrong session termination [https://gerrit.asterisk.org/c/asterisk/+/13899|https://gerrit.asterisk.org/c/asterisk/+/13899] |