[asterisk-bugs] [JIRA] (ASTERISK-21737) [patch] - Crash during transfer from DAHDI/SIP to SIP/SIP in ast_format_cap_append called from remote bridge loop
Richard Mudgett (JIRA)
noreply at issues.asterisk.org
Thu Oct 31 13:30:03 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=211395#comment-211395 ]
Richard Mudgett edited comment on ASTERISK-21737 at 10/31/13 1:28 PM:
----------------------------------------------------------------------
I've met the same problem between chan_sip and a SCCP channel driver (not chan_skinny, but external to the asterisk project) on asterisk 11.6.0 (and earlier version).
The scenario is the following:
Given a SIP channel SIP/A-1 is bridged (remote bridge, i.e. the pbx thread is running remote_bridge_loop) with a SCCP channel SCCP/B-1
And the SIP channel SIP/A-1 (clone) is masqueraded into another SCCP channel SCCP/B-2 (original)
Then asterisk sometimes segfault in sip_get_codec
It segfaults because sip_get_codec is called with SCCP/B-2<ZOMBIE> channel, and this channel pvt is NOT a sip_pvt *, so this lead to garbage.
As far as my asterisk knowledge goes, it seems to me that there's a race condition between the first and second pbx threads; the remote bridge happens in the first thread, the masquerade (ast_do_masquerade) happens in the second, and if you are not lucky, the masquerade happens between the "/* check if anything changed */" and call to "glueX->get_codec".
Or something like that.
This bug is similar in a certain way to ASTERISK-17378
was (Author: hexanol):
I've met the same problem between chan_sip and a SCCP channel driver (not chan_skinny, but external to the asterisk project) on asterisk 11.6.0 (and earlier version).
The scenario is the following:
Given a SIP channel SIP/A-1 is bridged (remote bridge, i.e. the pbx thread is running remote_bridge_loop) with a SCCP channel SCCP/B-1
And the SIP channel SIP/A-1 (clone) is masqueraded into another SCCP channel SCCP/B-2 (original)
Then asterisk sometimes segfault in sip_get_codec
It segfaults because sip_get_codec is called with SCCP/B-2<ZOMBIE> channel, and this channel pvt is NOT a sip_pvt *, so this lead to garbage.
As far as my asterisk knowledge goes, it seems to me that there's a race condition between the first and second pbx threads; the remote bridge happens in the first thread, the masquerade (ast_do_masquerade) happens in the second, and if you are not lucky, the masquerade happens between the "/* check if anything changed */" and call to "glueX->get_codec".
Or something like that.
This bug is similar in a certain way to https://issues.asterisk.org/jira/browse/ASTERISK-17378
> [patch] - Crash during transfer from DAHDI/SIP to SIP/SIP in ast_format_cap_append called from remote bridge loop
> -----------------------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-21737
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21737
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_sip/Transfers, Core/Bridging
> Environment: Asterisk SVN-branch-11-r385594
> Reporter: Alec Davis
> Attachments: bug_apr30.diff.txt, gdb-apr30.txt
>
>
> DAHDI call into queue.
> SIP agent answers, then transfer to SIP0007.
>
> Crashed just after/during a transfer.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list