[asterisk-bugs] [Asterisk 0018291]: [patch] When using Realtime gateway definitions, random crashes occur
Asterisk Bug Tracker
noreply at bugs.digium.com
Sat Nov 27 11:12:00 CST 2010
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=18291
======================================================================
Reported By: nahuelgreco
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 18291
Category: Channels/chan_mgcp
Reproducibility: sometimes
Severity: crash
Priority: normal
Status: ready for testing
Asterisk Version: 1.8.0
JIRA: SWP-2568
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): trunk
SVN Revision (number only!): 294606
Request Review:
======================================================================
Date Submitted: 2010-11-10 23:18 CST
Last Modified: 2010-11-27 11:12 CST
======================================================================
Summary: [patch] When using Realtime gateway definitions,
random crashes occur
Description:
If you use Realtime MGCP gateways definitions, then Asterisk will randomly
crash. The problem is located in the Realtime gateways pruning process that
runs every 60 seconds. Here unused Realtime gateways are correctly freed
but the gateways linked list is in some cases wrongly relinked, leaving
dangling pointers. The fix is to delete the 3832 line where the 'gprev'
variable is assigned to a freed gateway.
To illustrate, suppose the following case: you have three gateways in the
list, A->B->C->NULL. B and C will be marked for freeing by
mgcp_prune_realtime_gateway(), but A will persist because it has pending
msgs to send. So:
First loop pass: A will be ignored and gprev will be assigned to A.
Second loop pass: B will be freed, gprev will be (wrongly) assigned to B
and A->next will be updated to point to C.
Third loop pass: C will be freed and gprev->next will be updated to the
value in C->next, thats means now B->next will point to NULL. This leaves A
pointing forever to C, a freed gateway. From now the gateways list is
corrupted.
Note, I never saw Asterisk segfaulting when updating the B->next pointer
in the freed B gateway at the second pass. This makes the problem more
obscure because then Asterisk will segfault at multiple points in
chan_mgcp.c.
A patch is attached with the fix and a little cleanup. The problem is
present in Asterisk 1.8.0 and trunk rev 294606.
======================================================================
----------------------------------------------------------------------
(0129179) alea-soluciones (reporter) - 2010-11-27 11:12
https://issues.asterisk.org/view.php?id=18291#c129179
----------------------------------------------------------------------
I was reviewing this code and it seems that the patch do the job... The
issue was described perfect by nahuelgreco. The problem affects mgcp and
ncs protocols.
At this point, I don't have a CMTS hardware at my lab to test the patch,
and of course, I can't test this solution in a production system, but I
follow/read carefully the initial code and the patch and it looks very
well.
I hope this patch can be get committed to the trunk...
Issue History
Date Modified Username Field Change
======================================================================
2010-11-27 11:12 alea-solucionesNote Added: 0129179
======================================================================
More information about the asterisk-bugs
mailing list