[asterisk-bugs] [Asterisk 0019368]: The retrans_pkt function can corrupt the message list in the gateway structure

Asterisk Bug Tracker noreply at bugs.digium.com
Fri May 27 10:57:27 CDT 2011 

The following issue requires your FEEDBACK. 
====================================================================== 
https://issues.asterisk.org/view.php?id=19368 
====================================================================== 
Reported By:                JeffW
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   19368
Category:                   Channels/chan_mgcp
Reproducibility:            random
Severity:                   minor
Priority:                   normal
Status:                     feedback
Asterisk Version:           1.8.3.2 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2011-05-25 15:46 CDT
Last Modified:              2011-05-27 10:57 CDT
====================================================================== 
Summary:                    The retrans_pkt function can corrupt the message
list in the gateway structure
Description: 
I believe there are errors in the retrans_pkt function when a max retries
exceeded error occurs.  In the "for" statement the 'prev" variable is set
to an incorrect value when a message in the list has exceeded its retries. 
It should remain unchanged, but the "for" statement will set "prev" to
point to the message just removed.  This could corrupt the list.

The code attempts to build a list of expired messages using the same
"next" field as used to link the active message list.  This corrupts the
value of "cur->next" which is used to process the rest of the active
message list.  It will be set to null or point to the expired message list.
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2011-05-27 10:57 lmadsen        Status                   new => feedback     
======================================================================

More information about the asterisk-bugs mailing list