[asterisk-bugs] [Asterisk 0018291]: [patch] When using Realtime gateway definitions, random crashes occur

Asterisk Bug Tracker noreply at bugs.digium.com
Fri Nov 19 12:00:41 CST 2010


The following issue has been UPDATED. 
====================================================================== 
https://issues.asterisk.org/view.php?id=18291 
====================================================================== 
Reported By:                nahuelgreco
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   18291
Category:                   Channels/chan_mgcp
Reproducibility:            sometimes
Severity:                   crash
Priority:                   normal
Status:                     ready for testing
Asterisk Version:           1.8.0 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 294606 
Request Review:              
====================================================================== 
Date Submitted:             2010-11-10 23:18 CST
Last Modified:              2010-11-19 12:00 CST
====================================================================== 
Summary:                    [patch] When using Realtime gateway definitions,
random crashes occur
Description: 
If you use Realtime MGCP gateways definitions, then Asterisk will randomly
crash. The problem is located in the Realtime gateways pruning process that
runs every 60 seconds. Here unused Realtime gateways are correctly freed
but the gateways linked list is in some cases wrongly relinked, leaving
dangling pointers. The fix is to delete the 3832 line where the 'gprev'
variable is assigned to a freed gateway. 

To illustrate, suppose the following case: you have three gateways in the
list, A->B->C->NULL. B and C will be marked for freeing by
mgcp_prune_realtime_gateway(), but A will persist because it has pending
msgs to send. So:

First loop pass: A will be ignored and gprev will be assigned to A. 

Second loop pass: B will be freed, gprev will be (wrongly) assigned to B
and A->next will be updated to point to C. 

Third loop pass: C will be freed and gprev->next will be updated to the
value in C->next, thats means now B->next will point to NULL. This leaves A
pointing forever to C, a freed gateway. From now the gateways list is
corrupted. 

Note, I never saw Asterisk segfaulting when updating the B->next pointer
in the freed B gateway at the second pass. This makes the problem more
obscure because then Asterisk will segfault at multiple points in
chan_mgcp.c.

A patch is attached with the fix and a little cleanup. The problem is
present in Asterisk 1.8.0 and trunk rev 294606. 

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-11-19 12:00 lmadsen        Description Updated                          
======================================================================




More information about the asterisk-bugs mailing list