[asterisk-bugs] [JIRA] (ASTERISK-21316) Segfault on ast_channel_tech(chan)->send_digit_begin
Ashley Winters (JIRA)
noreply at issues.asterisk.org
Fri Mar 29 12:58:01 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=204790#comment-204790 ]
Ashley Winters edited comment on ASTERISK-21316 at 3/29/13 12:57 PM:
---------------------------------------------------------------------
It's a bridged call. We have a manager event listener which can trigger unbridge upon DTMF. It's like a dynamic features.conf for our multi-tenant IVR. So, sequence of events as best I can piece together:
1. Bridge channel A and B
2. DTMF # received on A
3. Simultaneously ChannelRedirect both A and B to dialplan locations, triggering unbridge
4. After {{ast_channel_bridge}} returns, the channels are not yet marked as ZOMBIE
6. Towards the end of {{ast_channel_bridge}}, it finally checks whether DTMF '#' should have triggered a feature, and if not forwards to the soon-to-be-ZOMBIE channel
7. In between the NULL check of {{!ast_channel_tech(chan)->send_digit_begin}} and the segfault location, channel B is masqueraded on another thread
8. Segfault
was (Author: awinters):
It's a bridged call. We have a manager event listener which can trigger unbridge upon DTMF. It's like a dynamic features.conf for our multi-tenant IVR. So, sequence of events as best I can piece together:
1. Bridge channel A and B
2. DTMF # received on A
3. Simultaneously ChannelRedirect both A and B to dialplan locations, triggering unbridge
4. After {{ast_channel_bridge}} returns, the channels are not yet marked as ZOMBIE
6. Towards the end of {{ast_channel_bridge}}, it finally checks whether DTMF '#' should have triggered a feature, and if not forwards to the now-ZOMBIE channel
7. In between the NULL check of {{!ast_channel_tech(chan)->send_digit_begin}} and the segfault location, channel B is masqueraded on another thread
8. Segfault
> Segfault on ast_channel_tech(chan)->send_digit_begin
> ----------------------------------------------------
>
> Key: ASTERISK-21316
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21316
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/Channels
> Affects Versions: 11.2.1
> Environment: CentOS 6.3
> Reporter: Ashley Winters
> Severity: Critical
> Attachments: gdb-send_digit_begin-segfault.txt, unlocked-send_digit-race.patch
>
>
> Calling {{ast_channel_tech(chan)}} multiple times in a row while chan is unlocked is a race condition. I experienced a segfault when the tech changed to {{null_tech}} between the null check and the function-pointer dereference.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list