[asterisk-bugs] [Asterisk 0019368]: The retrans_pkt function can corrupt the message list in the gateway structure

Asterisk Bug Tracker noreply at bugs.digium.com
Wed May 25 15:46:21 CDT 2011 

The following issue has been SUBMITTED. 
====================================================================== 
https://issues.asterisk.org/view.php?id=19368 
====================================================================== 
Reported By:                JeffW
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   19368
Category:                   Channels/chan_mgcp
Reproducibility:            random
Severity:                   minor
Priority:                   normal
Status:                     new
Asterisk Version:           1.8.3.2 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2011-05-25 15:46 CDT
Last Modified:              2011-05-25 15:46 CDT
====================================================================== 
Summary:                    The retrans_pkt function can corrupt the message
list in the gateway structure
Description: 
I believe there are errors in the retrans_pkt function when a max retries
exceeded error occurs.  In the "for" statement the 'prev" variable is set
to an incorrect value when a message in the list has exceeded its retries. 
It should remain unchanged, but the "for" statement will set "prev" to
point to the message just removed.  This could corrupt the list.

The code attempts to build a list of expired messages using the same
"next" field as used to link the active message list.  This corrupts the
value of "cur->next" which is used to process the rest of the active
message list.  It will be set to null or point to the expired message list.
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2011-05-25 15:46 JeffW          New Issue                                    
2011-05-25 15:46 JeffW          Asterisk Version          => 1.8.3.2         
2011-05-25 15:46 JeffW          Regression                => No              
2011-05-25 15:46 JeffW          SVN Branch (only for SVN checkouts, not tarball
releases) => N/A             
======================================================================

More information about the asterisk-bugs mailing list