[asterisk-bugs] [JIRA] (ASTERISK-24759) Reference of deleted ao2 object during shutdown of res_pjsip_pubsub

Scott Griepentrog (JIRA) noreply at issues.asterisk.org
Thu Feb 5 11:05:34 CST 2015 

Scott Griepentrog created ASTERISK-24759:
--------------------------------------------

             Summary: Reference of deleted ao2 object during shutdown of res_pjsip_pubsub
                 Key: ASTERISK-24759
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24759
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
            Reporter: Scott Griepentrog
            Severity: Minor


During CLI command "core shutdown gracefully", send_notify() can be called on a subscription tree, and it is possible for that ao2 object to be unreferenced during the call.  This was caught with valgrind:

{noformat}
==11153== Invalid write of size 4
==11153==    at 0x14CCF322: send_notify (res_pjsip_pubsub.c:2088)
==11153==    by 0x14CD0BF1: subscription_persistence_recreate (res_pjsip_pubsub.c:1385)
==11153==    by 0x45D94B: internal_ao2_traverse (astobj2_container.c:351)
==11153==    by 0x45DC3B: __ao2_callback_debug (astobj2_container.c:446)
==11153==    by 0x14CC8791: subscription_persistence_load (res_pjsip_pubsub.c:1408)
==11153==    by 0x5EB583: ast_taskprocessor_execute (taskprocessor.c:769)
==11153==    by 0x5F5853: threadpool_execute (threadpool.c:351)
==11153==    by 0x5F709B: worker_active (threadpool.c:1075)
==11153==    by 0x5F6E37: worker_start (threadpool.c:995)
==11153==    by 0x602F83: dummy_start (utils.c:1232)
==11153==    by 0x670DDF2: start_thread (in /usr/lib64/libpthread-2.17.so)
==11153==    by 0x74651AC: clone (in /usr/lib64/libc-2.17.so)
==11153==  Address 0xa68e840 is 144 bytes inside a block of size 176 free'd
==11153==    at 0x4C29577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11153==    by 0x45C5D7: internal_ao2_ref (astobj2.c:458)
==11153==    by 0x45C6AB: __ao2_ref_debug (astobj2.c:484)
==11153==    by 0x45C8B0: __ao2_cleanup_debug (astobj2.c:519)
==11153==    by 0x14CC9D24: pubsub_on_evsub_state (res_pjsip_pubsub.c:3111)
==11153==    by 0xE85A797: set_state (in /usr/lib64/libpjsip-simple.so.2)
==11153==    by 0xE85BA53: mod_evsub_on_tsx_state (in /usr/lib64/libpjsip-simple.so.2)
==11153==    by 0xEA9A92C: pjsip_dlg_on_tsx_state (in /usr/lib64/libpjsip.so.2)
==11153==    by 0xEA94959: tsx_set_state (in /usr/lib64/libpjsip.so.2)
==11153==    by 0xEA9649E: tsx_on_state_proceeding_uac (in /usr/lib64/libpjsip.so.2)
==11153==    by 0xEA9681C: tsx_on_state_calling (in /usr/lib64/libpjsip.so.2)
==11153==    by 0xEA97CEE: pjsip_tsx_recv_msg (in /usr/lib64/libpjsip.so.2)
==11153== 
{noformat}

Where res_pjsip_pubsub.c:2088 is the last line below setting the scheduled notify to zero, which points to the sub_tree object being deleted during the send_request:

{noformat}
    if (sub_tree->is_list) {
        pjsip_require_hdr *require = create_require_eventlist(tdata->pool);
        pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *) require);
    }

    if (sip_subscription_send_request(sub_tree, tdata)) {
        return -1;
    }

    sub_tree->send_scheduled_notify = 0;
{noformat}




--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list