[asterisk-bugs] [JIRA] (ASTERISK-22902) Crash when setting RTCP property on RTP instance

Mon Nov 25 13:26:03 CST 2013

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=212227#comment-212227 ] 

Matt Jordan edited comment on ASTERISK-22902 at 11/25/13 1:24 PM:
------------------------------------------------------------------

So I'm not sure how this is possible without having a modified version of Asterisk.

The RTP instance get's its engine pointer set in {{ast_rtp_instance_new}}. *At no point is this pointer ever set to anything else*.

First, the routine obtains the engine name that was requested. If it doesn't find one, the routine bails - in which case there is not RTP instance returned.

{noformat}
	/* If an engine name was specified try to use it or otherwise use the first one registered */
	if (!ast_strlen_zero(engine_name)) {
		AST_RWLIST_TRAVERSE(&engines, engine, entry) {
			if (!strcmp(engine->name, engine_name)) {
				break;
			}
		}
	} else {
		engine = AST_RWLIST_FIRST(&engines);
	}

	/* If no engine was actually found bail out now */
	if (!engine) {
		ast_log(LOG_ERROR, "No RTP engine was found. Do you have one loaded?\n");
		AST_RWLIST_UNLOCK(&engines);
		return NULL;
	}
{noformat}

At this point, {{engine}} has to be valid and non-NULL. We assign it to the newly created {{instance}} object below:

{noformat}

	/* Bump up the reference count before we return so the module can not be unloaded */
	ast_module_ref(engine->mod);

	AST_RWLIST_UNLOCK(&engines);

	/* Allocate a new RTP instance */
	if (!(instance = ao2_alloc(sizeof(*instance), instance_destructor))) {
		ast_module_unref(engine->mod);
		return NULL;
	}
	instance->engine = engine;
{noformat}

I don't see how this pointer got set to NULL. We don't assign NULL to {{instance->engine}} at any point in time. Even when the RTP instance of a SIP pvt is destroyed, we still never set that pointer to NULL.

Have you modified your instance of Asterisk?

      was (Author: mjordan):
    So I'm not sure how this is possible without having a modified version of Asterisk.

The RTP instance get's its engine pointer set in {{ast_rtp_instance_new}}. *At not point is this pointer ever set to anything else*.

First, the routine obtains the engine name that was requested. If it doesn't find one, the routine bails - in which case there is not RTP instance returned.

{noformat}
	/* If an engine name was specified try to use it or otherwise use the first one registered */
	if (!ast_strlen_zero(engine_name)) {
		AST_RWLIST_TRAVERSE(&engines, engine, entry) {
			if (!strcmp(engine->name, engine_name)) {
				break;
			}
		}
	} else {
		engine = AST_RWLIST_FIRST(&engines);
	}

	/* If no engine was actually found bail out now */
	if (!engine) {
		ast_log(LOG_ERROR, "No RTP engine was found. Do you have one loaded?\n");
		AST_RWLIST_UNLOCK(&engines);
		return NULL;
	}
{noformat}

At this point, {{engine}} has to be valid and non-NULL. We assign it to the newly created {{instance}} object below:

{noformat}

	/* Bump up the reference count before we return so the module can not be unloaded */
	ast_module_ref(engine->mod);

	AST_RWLIST_UNLOCK(&engines);

	/* Allocate a new RTP instance */
	if (!(instance = ao2_alloc(sizeof(*instance), instance_destructor))) {
		ast_module_unref(engine->mod);
		return NULL;
	}
	instance->engine = engine;
{noformat}

I don't see how this pointer got set to NULL. We don't assign NULL to {{instance->engine}} at any point in time. Even when the RTP instance of a SIP pvt is destroyed, we still never set that pointer to NULL.

Have you modified your instance of Asterisk?

> Crash when setting RTCP property on RTP instance
> ------------------------------------------------
>
>                 Key: ASTERISK-22902
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22902
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General, Core/RTP
>    Affects Versions: 11.6.0
>         Environment: Linux Debian 7.0
>            Reporter: Private Name
>            Severity: Critical
>         Attachments: backtrace.txt, frame0.txt
>
>
> Asterisk crashed and I got a full trace. I am uploading it shortly
> \[edit: mjordan\]
> The crash occurs during setting up an early bridge between two SIP channels. It appears to be occurring when the RTCP property is being set on a SIP pvt's RTP instance.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira