[asterisk-bugs] [JIRA] (ASTERISK-25057) res_pjsip_pubsub: Crash in send_notify due to invalid root pointer in sub_tree

Joshua Colp (JIRA) noreply at issues.asterisk.org
Thu May 7 15:13:33 CDT 2015 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-25057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua Colp closed ASTERISK-25057.
----------------------------------


> res_pjsip_pubsub: Crash in send_notify due to invalid root pointer in sub_tree
> ------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25057
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25057
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_pubsub
>    Affects Versions: 13.3.2
>            Reporter: Matt Jordan
>            Assignee: Joshua Colp
>
> Note that we don't have the best backtraces for this crash, although the {{core}} file displays exactly what the problem is.
> {code}
> (gdb) bt full
> #0  0x047ab62e in send_notify (sub_tree=0x9298fe4, force_full_state=0) at res_pjsip_pubsub.c:2062
>         evsub = 0x0
>         tdata = 0x344d660
> #1  0x047ab911 in ast_sip_subscription_notify (sub=0x998be34, notify_data=0xb14620f4, terminate=0) at res_pjsip_pubsub.c:2154
>         res = 134840417
> #2  0x0114b524 in notify_task (obj=0x9d601afc) at res_pjsip_exten_state.c:240
>         task_data = 0x9d601afc
>         data = {body_type = 0x114beee "ast_sip_exten_state_data", body_data = 0x9d601afc}
> #3  0x081f50bc in ast_taskprocessor_execute ()
> No symbol table info available.
> #4  0x081fd13d in execute_tasks ()
> No symbol table info available.
> #5  0x081f50bc in ast_taskprocessor_execute ()
> No symbol table info available.
> #6  0x081fba29 in threadpool_execute ()
> No symbol table info available.
> #7  0x081fce60 in worker_active ()
> No symbol table info available.
> #8  0x081fcc20 in worker_start ()
> No symbol table info available.
> #9  0x0820725c in dummy_start ()
> No symbol table info available.
> #10 0x009f8b39 in start_thread () from /lib/libpthread.so.0
> No symbol table info available.
> #11 0x00908c2e in clone () from /lib/libc.so.6
> No symbol table info available.
> (gdb) 
> {code}
> Looking at the code in {{res_pjsip_pubsub.c:2062}}, we don't have anything quite obvious that would cause the crash. Somewhat more likely is what we see on the next line:
> {code}
> 2061:	pjsip_evsub *evsub = sub_tree->evsub;
> 2062:	pjsip_tx_data *tdata;
> 2063:
> 2064:	if (ast_shutdown_final()
> 		&& sub_tree->root->subscription_state == PJSIP_EVSUB_STATE_TERMINATED
> 		&& sub_tree->persistence) {
> 2065:		return 0;
> 2066:	}
> {code}
> Simply declaring {{tdata}} on the stack shouldn't do anything. Dereferencing {{sub_tree}} is more likely our problem. The core file shows the following:
> {code}
> (gdb) print *sub_tree
> $1 = {endpoint = 0x0, serializer = 0x0, role = AST_SIP_SUBSCRIBER, persistence = 0x0, evsub = 0x0, dlg = 0x0, notification_batch_interval = 0, 
>   notify_sched_id = 1929405545, send_scheduled_notify = 1885302889, root = 0x69766f72, is_list = 1601332580, next = {next = 0x68}}
> (gdb) print *sub_tree->root
> Cannot access memory at address 0x69766f72
> (gdb) 
> {code}
> So that's no good.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list