[asterisk-bugs] [JIRA] (ASTERISK-26978) rtp: Crash in ast_rtp_codecs_payload_code()

Richard Mudgett (JIRA) noreply at issues.asterisk.org
Fri May 5 11:37:57 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-26978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=236880#comment-236880 ] 

Richard Mudgett commented on ASTERISK-26978:
--------------------------------------------

The new backtrace isn't showing anything different than the one two days ago. MALLOC_DEBUG does give more of a corroborating hint that the rtp instance bridged with pointer has already been freed. It says we have corrupted an already freed rtp instance. I was more hoping for a 0xdeaddead crash as those tend to be very helpful.

The new backtrace and the one two days ago show that the called channel has left the native rtp bridge without clearing the caller's rtp instance bridged with pointer.  The caller channel then tries to pass a rtp frame to the dead callee channel's rtp instance and deadlocks on the already freed memory.

What I suspect is happening is when a channel leaves the native rtp bridge it cannot find the rtp instance of one of the channels and thus cannot clear the bridged with pointer for that channel.  I think what the native rtp bridge needs to do is save a pointer and ao2 ref of each rtp instance when the second channel gets in the bridge.  Then when one of the channels leaves the bridge we can ensure that both rtp instances will get their bridged with pointer cleared.

> rtp: Crash in ast_rtp_codecs_payload_code()
> -------------------------------------------
>
>                 Key: ASTERISK-26978
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26978
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/RTP
>    Affects Versions: GIT
>         Environment: Fedora 23
>            Reporter: Ross Beer
>         Attachments: backtrace_20170502_clean.txt
>
>
> A crash has been introduced in a recent GIT commit:
> [5561] rtp_engine.c: Fix deadlock potential copying RTP payload maps.
> Please see attached backtrace, if required I can provide an unredacted trace.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list