[Home]

Summary:ASTERISK-30156: sip_rtp_read: crash for video rtp session variable (vrtp) not inizialized
Reporter:Diego Busacca (dbusacca)Labels:
Date Opened:2022-07-26 04:40:15Date Closed:
Priority:MajorRegression?
Status:Open/NewComponents:Channels/chan_sip/SRTP
Versions:16.8.0 Frequency of
Occurrence		Frequent
Related
Issues:
Environment:Centos 7.8 64 bitAttachments:
Description:Hello,
in a new installation we're experiencing some random crash. Analyzing the core dump with gdb we traced back the issue to a null pointer exception in sip_rtp_read of chan_sip

We're using asterisk 16.8-cert5 but the affected function is the same in main.

Using {{gdb}} and {{bt}} we got:

{noformat}
#0  ast_rtp_instance_read (instance=0x0, rtcp=rtcp@entry=1) at rtp_engine.c:583
#1  0x00007f06fca3f421 in sip_rtp_read (faxdetect=<synthetic pointer>, p=0x7f05943f8b50, ast=0x7f0568a88e90) at chan_sip.c:8625
#2  sip_read (ast=0x7f0568a88e90) at chan_sip.c:8722
#3  0x00000000004b1852 in __ast_read (chan=0x7f0568a88e90, dropaudio=dropaudio@entry=0, dropnondefault=dropnondefault@entry=1) at channel.c:3757
#4  0x00000000004b258c in ast_read (chan=<optimized out>) at channel.c:4285
#5  0x00007f06f7b00c8b in run_agi (argv=0x7f05268e3978, argc=<optimized out>, dead=0, status=0x7f05268e3830, pid=<optimized out>, agi=0x7f05268e38a0, request=<optimized out>, chan=0x7f0568a88e90) at res_agi.c:4180
#6  agi_exec_full (chan=<optimized out>, data=<optimized out>, enhanced=<optimized out>, dead=<optimized out>) at res_agi.c:4530
#7  0x0000000000535b29 in pbx_exec (c=c@entry=0x7f0568a88e90, app=app@entry=0x35e4fb0, data=data@entry=0x7f05268e5b30 "agi://127.0.0.1:9130/cc_service.agi?TELENIA=2_0_3_2_HOLIDAYBASIC_0_0_0") at pbx_app.c:492
#8  0x0000000000529190 in pbx_extension_helper (c=c@entry=0x7f0568a88e90, context=0x7f0568a89850 "telenia_services_op", exten=exten@entry=0x7f0568a898a0 "2_0_3_2_HOLIDAYBASIC_0_0_0", priority=priority@entry=1,
   label=label@entry=0x0, callerid=callerid@entry=0x7f058c0431c0 "3059", action=action@entry=E_SPAWN, found=found@entry=0x7f05268e7bc0, combined_find_spawn=combined_find_spawn@entry=1, con=0x0) at pbx.c:2947
#9  0x000000000052b28a in ast_spawn_extension (combined_find_spawn=1, found=0x7f05268e7bc0, callerid=0x7f058c0431c0 "3059", priority=1, exten=0x7f0568a898a0 "2_0_3_2_HOLIDAYBASIC_0_0_0", context=<optimized out>,
   c=0x7f0568a88e90) at pbx.c:4197
#10 __ast_pbx_run (c=c@entry=0x7f0568a88e90, args=args@entry=0x0) at pbx.c:4371
#11 0x000000000052c7cb in pbx_thread (data=data@entry=0x7f0568a88e90) at pbx.c:4695
#12 0x00000000005acecd in dummy_start (data=<optimized out>) at utils.c:1249
#13 0x00007f0763ac4ea5 in start_thread (arg=0x7f05268e8700) at pthread_create.c:307
#14 0x00007f0762e658dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
{noformat}


Analizing the {{frame 1}} we got:

{noformat}
8625                    f = ast_rtp_instance_read(p->vrtp, 1);  /* RTCP Control Channel for video */
{noformat}

In sip_rtp_read there is a NULL guard for p->rtp but not for p->vrtp.

{noformat}
/*! \brief Read RTP from network */
static struct ast_frame *sip_rtp_read(struct ast_channel *ast, struct sip_pvt *p, int *faxdetect)
{
/* Retrieve audio/etc from channel.  Assumes p->lock is already held. */
struct ast_frame *f;

if (!p->rtp) {
/* We have no RTP allocated for this channel */
return &ast_null_frame;
}

switch(ast_channel_fdno(ast)) {
case 0:
f = ast_rtp_instance_read(p->rtp, 0); /* RTP Audio */
break;
case 1:
f = ast_rtp_instance_read(p->rtp, 1); /* RTCP Control Channel */
break;
case 2:
f = ast_rtp_instance_read(p->vrtp, 0); /* RTP Video */
break;
case 3:
f = ast_rtp_instance_read(p->vrtp, 1); /* RTCP Control Channel for video */
break;
{noformat}

We're thinking to add a NULL safety guard in the vrtp swicth casese:

{noformat}
case 2:
               if (!p->vrtp) {
    /* We have no VRTP allocated for this channel */
                    return &ast_null_frame;
       }
f = ast_rtp_instance_read(p->vrtp, 0); /* RTP Video */
break;
case 3:
               if (!p->vrtp) {
    /* We have no VRTP allocated for this channel */
                    return &ast_null_frame;
       }
f = ast_rtp_instance_read(p->vrtp, 1); /* RTCP Control Channel for video */
               break;
{noformat}

There can be unexpected behaviors?

Comments:By: Asterisk Team (asteriskteam) 2022-07-26 04:40:21.880-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/].
By: Joshua C. Colp (jcolp) 2022-07-26 05:08:53.893-0500

The chan_sip module is community supported, so you are free to put such a change up for review after signing the license agreement. Note that such a change will not go into any current certified version. If you are a support customer, then you should go through Sangoma Support.

That doesn't answer this question though: why does chan_sip think it has to read video, when there is no video.