[asterisk-bugs] [JIRA] (ASTERISK-24970) Crash in res_pjsip_pubsub handling of failed notify

Scott Griepentrog (JIRA) noreply at issues.asterisk.org
Thu Apr 16 12:56:33 CDT 2015 

Scott Griepentrog created ASTERISK-24970:
--------------------------------------------

             Summary: Crash in res_pjsip_pubsub handling of failed notify
                 Key: ASTERISK-24970
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24970
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
    Affects Versions: 13.3.2
            Reporter: Scott Griepentrog


During startup of Asterisk under the right conditions (various pjsip subscriptions in flight), a crash can occur where a deleted tree is referenced.

Valgrind output (first invalid read):

{noformat}
==21514== Thread 29:
==21514== Invalid read of size 8
==21514==    at 0x136D8883: send_notify (res_pjsip_pubsub.c:2059)
==21514==    by 0x136D9245: pubsub_on_rx_subscribe_request (res_pjsip_pubsub.c:2605)
==21514==    by 0x136D993F: pubsub_on_rx_request (res_pjsip_pubsub.c:3090)
==21514==    by 0x127F85A6: pjsip_endpt_process_rx_data (in /usr/lib/libpjsip.so.2)
==21514==    by 0x16065238: distribute (pjsip_distributor.c:348)
==21514==    by 0x5E9CF2: ast_taskprocessor_execute (taskprocessor.c:769)
==21514==    by 0x5F4111: threadpool_execute (threadpool.c:351)
==21514==    by 0x5F562F: worker_active (threadpool.c:1075)
==21514==    by 0x5F53EC: worker_start (threadpool.c:995)
==21514==    by 0x6015BD: dummy_start (utils.c:1237)
==21514==    by 0x6725181: start_thread (pthread_create.c:312)
==21514==    by 0x74A247C: clone (clone.S:111)
==21514==  Address 0x931de08 is 120 bytes inside a block of size 176 free'd
==21514==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21514==    by 0x45DA3D: internal_ao2_ref (astobj2.c:461)
==21514==    by 0x45DCCC: __ao2_ref (astobj2.c:516)
==21514==    by 0x45DD3C: __ao2_cleanup (astobj2.c:529)
==21514==    by 0x136D365A: pubsub_on_evsub_state (res_pjsip_pubsub.c:3111)
==21514==    by 0x123A7727: set_state (in /usr/lib/libpjsip-simple.so.2)
==21514==    by 0x123A880F: pjsip_evsub_terminate (in /usr/lib/libpjsip-simple.so.2)
==21514==    by 0x136D94ED: pubsub_on_rx_subscribe_request (res_pjsip_pubsub.c:2603)
==21514==    by 0x136D993F: pubsub_on_rx_request (res_pjsip_pubsub.c:3090)
==21514==    by 0x127F85A6: pjsip_endpt_process_rx_data (in /usr/lib/libpjsip.so.2)
==21514==    by 0x16065238: distribute (pjsip_distributor.c:348)
==21514==    by 0x5E9CF2: ast_taskprocessor_execute (taskprocessor.c:769)
{noformat}

The invalid read in send_notify() is of sub_tree->evsub where sub_tree is passed in from pubsub_on_rx_subscribe_request() and was recently created via create_subscription_tree().  However, prior to the invalid reference of subtree, it was free'd indirectly by the call to pjsip_evsub_terminate() in the case that generate_initial_notify() fails.




--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list