[asterisk-bugs] [JIRA] (ASTERISK-22902) Crash when setting RTCP property on RTP instance
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Mon Nov 25 13:26:04 CST 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-22902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=212227#comment-212227 ]
Matt Jordan edited comment on ASTERISK-22902 at 11/25/13 1:25 PM:
------------------------------------------------------------------
So I'm not sure how this is possible without having a modified version of Asterisk.
The RTP instance get's its engine pointer set in {{ast_rtp_instance_new}}. *At no point is this pointer ever set to anything else*.
First, the routine obtains the engine name that was requested. If it doesn't find one, the routine bails - in which case there is no RTP instance returned.
{noformat}
/* If an engine name was specified try to use it or otherwise use the first one registered */
if (!ast_strlen_zero(engine_name)) {
AST_RWLIST_TRAVERSE(&engines, engine, entry) {
if (!strcmp(engine->name, engine_name)) {
break;
}
}
} else {
engine = AST_RWLIST_FIRST(&engines);
}
/* If no engine was actually found bail out now */
if (!engine) {
ast_log(LOG_ERROR, "No RTP engine was found. Do you have one loaded?\n");
AST_RWLIST_UNLOCK(&engines);
return NULL;
}
{noformat}
At this point, {{engine}} has to be valid and non-NULL. We assign it to the newly created {{instance}} object below:
{noformat}
/* Bump up the reference count before we return so the module can not be unloaded */
ast_module_ref(engine->mod);
AST_RWLIST_UNLOCK(&engines);
/* Allocate a new RTP instance */
if (!(instance = ao2_alloc(sizeof(*instance), instance_destructor))) {
ast_module_unref(engine->mod);
return NULL;
}
instance->engine = engine;
{noformat}
I don't see how this pointer got set to NULL. We don't assign NULL to {{instance->engine}} at any point in time. Even when the RTP instance of a SIP pvt is destroyed, we still never set that pointer to NULL.
Have you modified your instance of Asterisk?
was (Author: mjordan):
So I'm not sure how this is possible without having a modified version of Asterisk.
The RTP instance get's its engine pointer set in {{ast_rtp_instance_new}}. *At no point is this pointer ever set to anything else*.
First, the routine obtains the engine name that was requested. If it doesn't find one, the routine bails - in which case there is not RTP instance returned.
{noformat}
/* If an engine name was specified try to use it or otherwise use the first one registered */
if (!ast_strlen_zero(engine_name)) {
AST_RWLIST_TRAVERSE(&engines, engine, entry) {
if (!strcmp(engine->name, engine_name)) {
break;
}
}
} else {
engine = AST_RWLIST_FIRST(&engines);
}
/* If no engine was actually found bail out now */
if (!engine) {
ast_log(LOG_ERROR, "No RTP engine was found. Do you have one loaded?\n");
AST_RWLIST_UNLOCK(&engines);
return NULL;
}
{noformat}
At this point, {{engine}} has to be valid and non-NULL. We assign it to the newly created {{instance}} object below:
{noformat}
/* Bump up the reference count before we return so the module can not be unloaded */
ast_module_ref(engine->mod);
AST_RWLIST_UNLOCK(&engines);
/* Allocate a new RTP instance */
if (!(instance = ao2_alloc(sizeof(*instance), instance_destructor))) {
ast_module_unref(engine->mod);
return NULL;
}
instance->engine = engine;
{noformat}
I don't see how this pointer got set to NULL. We don't assign NULL to {{instance->engine}} at any point in time. Even when the RTP instance of a SIP pvt is destroyed, we still never set that pointer to NULL.
Have you modified your instance of Asterisk?
> Crash when setting RTCP property on RTP instance
> ------------------------------------------------
>
> Key: ASTERISK-22902
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-22902
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_sip/General, Core/RTP
> Affects Versions: 11.6.0
> Environment: Linux Debian 7.0
> Reporter: Private Name
> Severity: Critical
> Attachments: backtrace.txt, frame0.txt
>
>
> Asterisk crashed and I got a full trace. I am uploading it shortly
> \[edit: mjordan\]
> The crash occurs during setting up an early bridge between two SIP channels. It appears to be occurring when the RTCP property is being set on a SIP pvt's RTP instance.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list