[asterisk-bugs] [JIRA] (ASTERISK-23287) res_pjsip_refer: Crash during attended transfer when attended->transferer_second channel is NULL

Tue Feb 25 08:50:03 CST 2014

    [ https://issues.asterisk.org/jira/browse/ASTERISK-23287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=215631#comment-215631 ] 

Kinsey Moore commented on ASTERISK-23287:
-----------------------------------------

After further digging, this is actually two bugs. The first is in the test where an extra REFER is being triggered when it really shouldn't be and the other is in Asterisk where the extra REFER is accepted and acted upon even though the channel is NULLed out and gone because the masquerade has hung up the channel.

> res_pjsip_refer: Crash during attended transfer when attended->transferer_second channel is NULL
> ------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-23287
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23287
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_pjsip_refer
>    Affects Versions: 12.0.0
>            Reporter: Matt Jordan
>         Attachments: backtrace_5214.txt, full.txt
>
>
> Note that this was caught by the Asterisk Test Suite during the ARI attended transfer event test. Backtrace is attached.
> {noformat}
> #0  0x000000000053da03 in ast_channel_name (chan=0x0) at channel_internal_api.c:464
> 464	DEFINE_STRINGFIELD_GETTER_FOR(name);
> #0  0x000000000053da03 in ast_channel_name (chan=0x0) at channel_internal_api.c:464
> No locals.
> #1  0x00007f05e9000f08 in refer_attended (data=0x7f060c0523c8) at res_pjsip_refer.c:424
>         attended = 0x7f060c0523c8
>         response = 0
>         __PRETTY_FUNCTION__ = "refer_attended"
> {noformat}
> This occurs because some channel is NULL that we weren't expecting. Looking at line 424:
> {noformat}
> 	ast_debug(3, "Performing a REFER attended transfer - Transferer #1: %s Transferer #2: %s\n",
> 		ast_channel_name(attended->transferer_chan), ast_channel_name(attended->transferer_second->channel));
> {noformat}
> So we have either {{attended->transferer_chan}}, or {{attended->transferer_second->channel}}.
> When we make the {{attended}} structure, we are ref bumping the {{ast_sip_session}} objects, but only the {{attended->transferer_chan}} channel is ref bumped:
> {noformat}
> 	struct refer_attended *attended = ao2_alloc(sizeof(*attended), refer_attended_destroy);
> 	if (!attended) {
> 		return NULL;
> 	}
> 	ao2_ref(transferer, +1);
> 	attended->transferer = transferer;
> 	ast_channel_ref(transferer->channel);
> 	attended->transferer_chan = transferer->channel;
> 	ao2_ref(transferer_second, +1);
> 	attended->transferer_second = transferer_second;
> 	if (progress) {
> 		ao2_ref(progress, +1);
> 		attended->progress = progress;
> 	}
> {noformat}
> The most likely culprit for this failing is the attended->transferer_second channel getting nuked out while we serialize the task.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira