[asterisk-bugs] [JIRA] (ASTERISK-21211) chan_iax2 - unprotected access of iaxs[peer->callno] potentially results in segfault

Jaco Kroon (JIRA) noreply at issues.asterisk.org
Tue Apr 7 06:12:32 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-21211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=225799#comment-225799 ] 

Jaco Kroon commented on ASTERISK-21211:
---------------------------------------

Haven't been running asterisk without this patch since I submitted it.  Wouldn't know, but I would expect a deadlock or some other badness if this patch became superfluous.

https://reviewboard.asterisk.org/r/4599/

> chan_iax2 - unprotected access of iaxs[peer->callno] potentially results in segfault
> ------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-21211
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21211
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_iax2
>    Affects Versions: 11.2.1
>            Reporter: Jaco Kroon
>            Severity: Critical
>         Attachments: asterisk-11.2.1-iax2_poke-segfault.diff
>
>
> chan_iax2.c, specifically in function iax2_poke_peer, a completely unprotected access to iaxs[peer->callno] is made.  Specifically I had a segfault trigger on line 12230, an access to iaxs[peer->callno] - the second in a sequence, so peer->callno can definitely change between the two 
> It is my understanding that:
> 1.  peer->callno can change outside of the function , thus it's probably unsafe to use the raw value as per lines 12223, 12229 and 12230.  I believe this should be callno, and not peer->callno.  Please correct me if I'm wrong.  This can either happen by us calling iax2_destroy, or simply another thread also scheduling a POKE on the same peer.
> 2.  All reads and writes to iaxs[X] should be protected by a lock of iaxsl[X].  Lines 12229 and 12230 violates this currently.
> I suspect my crash resulted from a sequence where a POKE was in process of being scheduled, another thread then called iax2_poke_peer for the same peer, called iax2_destroy on the iaxs[] busy being set up, and *boom* major catastrophe.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list