[asterisk-bugs] [JIRA] (ASTERISK-21737) [patch] - Crash during transfer from DAHDI/SIP to SIP/SIP in ast_format_cap_append called from remote bridge loop

Richard Mudgett (JIRA) noreply at issues.asterisk.org
Thu Oct 31 13:30:03 CDT 2013


    [ https://issues.asterisk.org/jira/browse/ASTERISK-21737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=211395#comment-211395 ] 

Richard Mudgett edited comment on ASTERISK-21737 at 10/31/13 1:28 PM:
----------------------------------------------------------------------

I've met the same problem between chan_sip and a SCCP channel driver (not chan_skinny, but external to the asterisk project) on asterisk 11.6.0 (and earlier version).

The scenario is the following:

Given a SIP channel SIP/A-1 is bridged (remote bridge, i.e. the pbx thread is running remote_bridge_loop) with a SCCP channel SCCP/B-1
And the SIP channel SIP/A-1 (clone) is masqueraded into another SCCP channel SCCP/B-2 (original)
Then asterisk sometimes segfault in sip_get_codec

It segfaults because sip_get_codec is called with SCCP/B-2<ZOMBIE> channel, and this channel pvt is NOT a sip_pvt *, so this lead to garbage.

As far as my asterisk knowledge goes, it seems to me that there's a race condition between the first and second pbx threads; the remote bridge happens in the first thread, the masquerade (ast_do_masquerade) happens in the second, and if you are not lucky, the masquerade happens between the "/* check if anything changed */" and call to "glueX->get_codec".

Or something like that.

This bug is similar in a certain way to ASTERISK-17378
                
      was (Author: hexanol):
    I've met the same problem between chan_sip and a SCCP channel driver (not chan_skinny, but external to the asterisk project) on asterisk 11.6.0 (and earlier version).

The scenario is the following:

Given a SIP channel SIP/A-1 is bridged (remote bridge, i.e. the pbx thread is running remote_bridge_loop) with a SCCP channel SCCP/B-1
And the SIP channel SIP/A-1 (clone) is masqueraded into another SCCP channel SCCP/B-2 (original)
Then asterisk sometimes segfault in sip_get_codec

It segfaults because sip_get_codec is called with SCCP/B-2<ZOMBIE> channel, and this channel pvt is NOT a sip_pvt *, so this lead to garbage.

As far as my asterisk knowledge goes, it seems to me that there's a race condition between the first and second pbx threads; the remote bridge happens in the first thread, the masquerade (ast_do_masquerade) happens in the second, and if you are not lucky, the masquerade happens between the "/* check if anything changed */" and call to "glueX->get_codec".

Or something like that.

This bug is similar in a certain way to https://issues.asterisk.org/jira/browse/ASTERISK-17378
                  
> [patch] - Crash during transfer from DAHDI/SIP to SIP/SIP in ast_format_cap_append called from remote bridge loop
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-21737
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21737
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Transfers, Core/Bridging
>         Environment: Asterisk SVN-branch-11-r385594 
>            Reporter: Alec Davis
>         Attachments: bug_apr30.diff.txt, gdb-apr30.txt
>
>
> DAHDI call into queue.
> SIP agent answers, then transfer to SIP0007.
>  
> Crashed just after/during a transfer.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list