[asterisk-bugs] [JIRA] (ASTERISK-23287) res_pjsip_refer: Crash during attended transfer when attended->transferer_second channel is NULL

Matt Jordan (JIRA) noreply at issues.asterisk.org
Wed Feb 12 20:29:03 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-23287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=215184#comment-215184 ] 

Matt Jordan commented on ASTERISK-23287:
----------------------------------------

Actually, this may be masquerades screwing us:

{noformat}
[Feb 12 13:19:38] DEBUG[13416] res_pjsip_refer.c: Final response for REFER attended transfer - Transferer #1: PJSIP/bob-00000000 Transferer #2: PJSIP/bob-00000002 is '200'
[Feb 12 13:19:38] DEBUG[13416] res_pjsip_refer.c: Subscription '0x7f061002a508' is being terminated as a result of a NOTIFY, removing REFER progress structure early on progress monitor '0x7f0610029908'
[Feb 12 13:19:38] DEBUG[13416] res_pjsip_refer.c: Sending NOTIFY with response '200' and state '5' on subscription '0x7f061002a508' and progress monitor '0x7f0610029908'
[Feb 12 13:19:38] DEBUG[13416] pjsip: 	evsub0x7f06100 Subscription state changed ACTIVE --> TERMINATED
[Feb 12 13:19:38] DEBUG[13416] res_pjsip_session.c: Method is BYE
[Feb 12 13:19:38] DEBUG[13400] cdr.c: Finalized CDR for PJSIP/bob-00000002 - start 1392232778.120924 answer 1392232778.121202 end 1392232778.599795 dispo ANSWERED
[Feb 12 13:19:38] DEBUG[13469] manager.c: Examining event:
Event: AttendedTransfer
Privilege: call,all
Result: Success
OrigTransfererChannel: PJSIP/bob-00000000
OrigTransfererChannelState: 6
OrigTransfererChannelStateDesc: Up
OrigTransfererCallerIDNum: bob
OrigTransfererCallerIDName: <unknown>
OrigTransfererConnectedLineNum: alice
OrigTransfererConnectedLineName: <unknown>
OrigTransfererAccountCode: 
OrigTransfererContext: default
OrigTransfererExten: stasis
OrigTransfererPriority: 3
OrigTransfererUniqueid: 1392232778.6
OrigBridgeUniqueid: b0bb9dd9-ac1f-4dab-9081-d9ed0878dd52
OrigBridgeType: base
OrigBridgeTechnology: native_rtp
OrigBridgeCreator: Stasis
OrigBridgeName: <unknown>
OrigBridgeNumChannels: 2
SecondTransfererChannel: Local/_attended at transfer-00000001;2
SecondTransfererChannelState: 6
SecondTransfererChannelStateDesc: Up
SecondTransfererCallerIDNum: <unknown>
SecondTransfererCallerIDName: <unknown>
SecondTransfererConnectedLineNum: <unknown>
SecondTransfererConnectedLineName: <unknown>
SecondTransfererAccountCode: 
SecondTransfererContext: default
SecondTransfererExten: 1000
SecondTransfererPriority: 2
SecondTransfererUniqueid: 1392232778.24
IsExternal: Yes
DestType: App
DestApp: Echo
{noformat}

Notice that the channel during the final REFER response is PJSIP/bob-00000002; however, the final channel in the Attended Transfer event is the Local channel. Something else to consider.
                
> res_pjsip_refer: Crash during attended transfer when attended->transferer_second channel is NULL
> ------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-23287
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23287
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_pjsip_refer
>    Affects Versions: 12.0.0
>            Reporter: Matt Jordan
>         Attachments: backtrace_5214.txt, full.txt
>
>
> Note that this was caught by the Asterisk Test Suite during the ARI attended transfer event test. Backtrace is attached.
> {noformat}
> #0  0x000000000053da03 in ast_channel_name (chan=0x0) at channel_internal_api.c:464
> 464	DEFINE_STRINGFIELD_GETTER_FOR(name);
> #0  0x000000000053da03 in ast_channel_name (chan=0x0) at channel_internal_api.c:464
> No locals.
> #1  0x00007f05e9000f08 in refer_attended (data=0x7f060c0523c8) at res_pjsip_refer.c:424
>         attended = 0x7f060c0523c8
>         response = 0
>         __PRETTY_FUNCTION__ = "refer_attended"
> {noformat}
> This occurs because some channel is NULL that we weren't expecting. Looking at line 424:
> {noformat}
> 	ast_debug(3, "Performing a REFER attended transfer - Transferer #1: %s Transferer #2: %s\n",
> 		ast_channel_name(attended->transferer_chan), ast_channel_name(attended->transferer_second->channel));
> {noformat}
> So we have either {{attended->transferer_chan}}, or {{attended->transferer_second->channel}}.
> When we make the {{attended}} structure, we are ref bumping the {{ast_sip_session}} objects, but only the {{attended->transferer_chan}} channel is ref bumped:
> {noformat}
> 	struct refer_attended *attended = ao2_alloc(sizeof(*attended), refer_attended_destroy);
> 	if (!attended) {
> 		return NULL;
> 	}
> 	ao2_ref(transferer, +1);
> 	attended->transferer = transferer;
> 	ast_channel_ref(transferer->channel);
> 	attended->transferer_chan = transferer->channel;
> 	ao2_ref(transferer_second, +1);
> 	attended->transferer_second = transferer_second;
> 	if (progress) {
> 		ao2_ref(progress, +1);
> 		attended->progress = progress;
> 	}
> {noformat}
> The most likely culprit for this failing is the attended->transferer_second channel getting nuked out while we serialize the task.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list