[asterisk-bugs] [JIRA] (ASTERISK-24970) Crash in res_pjsip_pubsub handling of failed notify

Asterisk Team (JIRA) noreply at issues.asterisk.org
Wed Jul 27 10:24:13 CDT 2016 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-24970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-24970:
-------------------------------------

    Target Release Version/s: 14.0.0

> Crash in res_pjsip_pubsub handling of failed notify
> ---------------------------------------------------
>
>                 Key: ASTERISK-24970
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24970
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_pubsub
>    Affects Versions: 13.3.2
>            Reporter: Scott Griepentrog
>            Assignee: Scott Griepentrog
>      Target Release: 13.4.0, 14.0.0
>
>
> During startup of Asterisk under the right conditions (various pjsip subscriptions in flight), a crash can occur where a deleted tree is referenced.
> Valgrind output (first invalid read):
> {noformat}
> ==21514== Thread 29:
> ==21514== Invalid read of size 8
> ==21514==    at 0x136D8883: send_notify (res_pjsip_pubsub.c:2059)
> ==21514==    by 0x136D9245: pubsub_on_rx_subscribe_request (res_pjsip_pubsub.c:2605)
> ==21514==    by 0x136D993F: pubsub_on_rx_request (res_pjsip_pubsub.c:3090)
> ==21514==    by 0x127F85A6: pjsip_endpt_process_rx_data (in /usr/lib/libpjsip.so.2)
> ==21514==    by 0x16065238: distribute (pjsip_distributor.c:348)
> ==21514==    by 0x5E9CF2: ast_taskprocessor_execute (taskprocessor.c:769)
> ==21514==    by 0x5F4111: threadpool_execute (threadpool.c:351)
> ==21514==    by 0x5F562F: worker_active (threadpool.c:1075)
> ==21514==    by 0x5F53EC: worker_start (threadpool.c:995)
> ==21514==    by 0x6015BD: dummy_start (utils.c:1237)
> ==21514==    by 0x6725181: start_thread (pthread_create.c:312)
> ==21514==    by 0x74A247C: clone (clone.S:111)
> ==21514==  Address 0x931de08 is 120 bytes inside a block of size 176 free'd
> ==21514==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==21514==    by 0x45DA3D: internal_ao2_ref (astobj2.c:461)
> ==21514==    by 0x45DCCC: __ao2_ref (astobj2.c:516)
> ==21514==    by 0x45DD3C: __ao2_cleanup (astobj2.c:529)
> ==21514==    by 0x136D365A: pubsub_on_evsub_state (res_pjsip_pubsub.c:3111)
> ==21514==    by 0x123A7727: set_state (in /usr/lib/libpjsip-simple.so.2)
> ==21514==    by 0x123A880F: pjsip_evsub_terminate (in /usr/lib/libpjsip-simple.so.2)
> ==21514==    by 0x136D94ED: pubsub_on_rx_subscribe_request (res_pjsip_pubsub.c:2603)
> ==21514==    by 0x136D993F: pubsub_on_rx_request (res_pjsip_pubsub.c:3090)
> ==21514==    by 0x127F85A6: pjsip_endpt_process_rx_data (in /usr/lib/libpjsip.so.2)
> ==21514==    by 0x16065238: distribute (pjsip_distributor.c:348)
> ==21514==    by 0x5E9CF2: ast_taskprocessor_execute (taskprocessor.c:769)
> {noformat}
> The invalid read in send_notify() is of sub_tree->evsub where sub_tree is passed in from pubsub_on_rx_subscribe_request() and was recently created via create_subscription_tree().  However, prior to the invalid reference of subtree, it was free'd indirectly by the call to pjsip_evsub_terminate() in the case that generate_initial_notify() fails.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list