[asterisk-bugs] [JIRA] (ASTERISK-23288) res_pjsip_refer: Crash during attended transfer when attended->transferer_second channel is NULL

Matt Jordan (JIRA) noreply at issues.asterisk.org
Wed Feb 12 20:21:04 CST 2014 

Matt Jordan created ASTERISK-23288:
--------------------------------------

             Summary: res_pjsip_refer: Crash during attended transfer when attended->transferer_second channel is NULL
                 Key: ASTERISK-23288
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23288
             Project: Asterisk
          Issue Type: Bug
          Components: Resources/res_pjsip_refer
            Reporter: Matt Jordan


Note that this was caught by the Asterisk Test Suite during the ARI attended transfer event test. Backtrace is attached.

{noformat}
#0  0x000000000053da03 in ast_channel_name (chan=0x0) at channel_internal_api.c:464
464	DEFINE_STRINGFIELD_GETTER_FOR(name);
#0  0x000000000053da03 in ast_channel_name (chan=0x0) at channel_internal_api.c:464
No locals.
#1  0x00007f05e9000f08 in refer_attended (data=0x7f060c0523c8) at res_pjsip_refer.c:424
        attended = 0x7f060c0523c8
        response = 0
        __PRETTY_FUNCTION__ = "refer_attended"
{noformat}

This occurs because some channel is NULL that we weren't expecting. Looking at line 424:

{noformat}
	ast_debug(3, "Performing a REFER attended transfer - Transferer #1: %s Transferer #2: %s\n",
		ast_channel_name(attended->transferer_chan), ast_channel_name(attended->transferer_second->channel));
{noformat}

So we have either {{attended->transferer_chan}}, or {{attended->transferer_second->channel}}.

When we make the {{attended}} structure, we are ref bumping the {{ast_sip_session}} objects, but only the {{attended->transferer_chan}} channel is ref bumped:

{noformat}
	struct refer_attended *attended = ao2_alloc(sizeof(*attended), refer_attended_destroy);

	if (!attended) {
		return NULL;
	}

	ao2_ref(transferer, +1);
	attended->transferer = transferer;
	ast_channel_ref(transferer->channel);
	attended->transferer_chan = transferer->channel;
	ao2_ref(transferer_second, +1);
	attended->transferer_second = transferer_second;

	if (progress) {
		ao2_ref(progress, +1);
		attended->progress = progress;
	}
{noformat}

The most likely culprit for this failing is the attended->transferer_second channel getting nuked out while we serialize the task.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list