[asterisk-bugs] [JIRA] (ASTERISK-28612) res_pjsip_t38: crash on reinvite with zero port and no c= line
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Thu Nov 21 13:46:32 CST 2019
[ https://issues.asterisk.org/jira/browse/ASTERISK-28612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=248835#comment-248835 ]
Friendly Automation commented on ASTERISK-28612:
------------------------------------------------
Change 13231 merged by Benjamin Keith Ford:
res_pjsip_session.c: Check for port of zero on incoming SDP.
[https://gerrit.asterisk.org/c/asterisk/+/13231|https://gerrit.asterisk.org/c/asterisk/+/13231]
> res_pjsip_t38: crash on reinvite with zero port and no c= line
> --------------------------------------------------------------
>
> Key: ASTERISK-28612
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28612
> Project: Asterisk
> Issue Type: Bug
> Components: Resources/res_pjsip_t38
> Affects Versions: 13.20.0
> Reporter: Salah Ahmed
> Assignee: Unassigned
> Labels: patch
> Attachments: ASTERISK-28612.diff
>
>
> Hello,
> Recently we experienced a crash on T38 call. It seems the crash happened while a malformed sdp received from the B-Side endpoint.
> Malformed SDP:
> v=0
> o=Sippy 1186479683731557114 3 IN IP4 192.168.1.10
> s=WebRTCLink
> t=0 0
> m=image 0 udptl t38
> Back-trace Core:
> #0 0x00007f5876d934c5 in pj_strlen (str=0x20) at /usr/include/pj/string.h:272
> #1 0x00007f5876d9926c in ast_copy_pj_str (dest=0x7f589160a2f0 "\220\245`\221X\177", src=0x20, size=1025) at res_pjsip.c:4318
> #2 0x00007f581ed0b7cc in negotiate_incoming_sdp_stream (session=0x7f587800a860, session_media=0x7f587800b290, sdp=0x7f587801e7c8, stream=0x7f587801ed08) at res_pjsip_t38.c:773
> #3 0x00007f5827550a41 in handle_incoming_sdp (session=0x7f587800a860, sdp=0x7f587801e7c8) at res_pjsip_session.c:254
> #4 0x00007f582755884d in session_inv_on_rx_offer (inv=0x7f58780092f8, offer=0x7f587801e7c8) at res_pjsip_session.c:3067
> #5 0x00007f58765de4b1 in inv_check_sdp_in_incoming_msg (inv=0x7f58780092f8, tsx=0x7f5878008338, rdata=0x7f5798004e88) at ../src/pjsip-ua/sip_inv.c:2126
> #6 0x00007f58765e30f4 in inv_on_state_confirmed (inv=0x7f58780092f8, e=0x7f589160aa30) at ../src/pjsip-ua/sip_inv.c:4883
> #7 0x00007f58765db580 in mod_inv_on_tsx_state (tsx=0x7f5878008338, e=0x7f589160aa30) at ../src/pjsip-ua/sip_inv.c:718
> #8 0x00007f587619fe0c in pjsip_dlg_on_tsx_state (dlg=0x7f58780072e8, tsx=0x7f5878008338, e=0x7f589160aa30) at ../src/pjsip/sip_dialog.c:2066
> #9 0x00007f58761a06ee in mod_ua_on_tsx_state (tsx=0x7f5878008338, e=0x7f589160aa30) at ../src/pjsip/sip_ua_layer.c:178
> #10 0x00007f58761981ef in tsx_set_state (tsx=0x7f5878008338, state=PJSIP_TSX_STATE_TRYING, event_src_type=PJSIP_EVENT_RX_MSG, event_src=0x7f5798004e88, flag=0) at ../src/pjsip/sip_transaction.c:1268
> #11 0x00007f587619a506 in tsx_on_state_null (tsx=0x7f5878008338, event=0x7f589160aac0) at ../src/pjsip/sip_transaction.c:2425
> #12 0x00007f58761991fd in pjsip_tsx_recv_msg (tsx=0x7f5878008338, rdata=0x7f5798004e88) at ../src/pjsip/sip_transaction.c:1828
> #13 0x00007f587619f4dc in pjsip_dlg_on_rx_request (dlg=0x7f58780072e8, rdata=0x7f5798004e88) at ../src/pjsip/sip_dialog.c:1713
> #14 0x00007f58761a1210 in mod_ua_on_rx_request (rdata=0x7f5798004e88) at ../src/pjsip/sip_ua_layer.c:704
> #15 0x00007f587617be8e in pjsip_endpt_process_rx_data (endpt=0x26076e8, rdata=0x7f5798004e88, p=0x7f5876fd4ea0 <param>, p_handled=0x7f589160acb4) at ../src/pjsip/sip_endpoint.c:895
> #16 0x00007f5876dabca9 in distribute (data=0x7f5798004e88) at res_pjsip/pjsip_distributor.c:897
> #17 0x00000000005e116f in ast_taskprocessor_execute (tps=0x289bfb0) at taskprocessor.c:971
> #18 0x00000000005ead80 in execute_tasks (data=0x289bfb0) at threadpool.c:1322
> #19 0x00000000005e116f in ast_taskprocessor_execute (tps=0x2603440) at taskprocessor.c:971
> #20 0x00000000005e9042 in threadpool_execute (pool=0x2603b80) at threadpool.c:351
> #21 0x00000000005ea6f6 in worker_active (worker=0x7f5810000ee0) at threadpool.c:1105
> #22 0x00000000005ea4af in worker_start (arg=0x7f5810000ee0) at threadpool.c:1024
> #23 0x00000000005f6743 in dummy_start (data=0x7f5810000e70) at utils.c:1238
> #24 0x00007f5892a60064 in start_thread (arg=0x7f589160b700) at pthread_create.c:309
> #25 0x00007f5891d4862d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
> Thanks,
> Salah
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list