[asterisk-bugs] [JIRA] (ASTERISK-29201) Crash occurs when Transfer and execute Hangup before the Transfer result

Dan Cropp (JIRA) noreply at issues.asterisk.org
Tue Dec 8 13:55:16 CST 2020 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-29201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Cropp updated ASTERISK-29201:
---------------------------------

    Attachment: messages
                core-thread1.txt
                core-locks.txt
                core-info.txt
                core-full.txt
                core-brief.txt

Core dump files and messages (debug set to 4).

The call sequence is as follows (10.9.9.151 is the system that crashes):

Incoming SIP call to extension 8000 at 10.9.9.151 at 18:00:03
Dialplan routes call to 8000 at 10.9.9.150 at 18:00:03

Call redirected (via manager interface) to extension 6000.

Extension 6000 executes Transfer(PJSIP/sip:8001 at 10.9.9.150) which sends a REFER to 10.9.9.150 at 18:00:14

10.9.9.150 sends a BYE to disconnect the call at 18:01:14

The sip session is destroyed at 18:01:46

The transferred call is hung up, resulting in a NOTIFY from 10.9.9.150 at 18:01:54.  Since the SIP session has been destroyed and its memory released, attempting to access the channel results in a crash.

> Crash occurs when Transfer and execute Hangup before the Transfer result 
> -------------------------------------------------------------------------
>
>                 Key: ASTERISK-29201
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29201
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_pjsip
>    Affects Versions: 16.15.0, 17.9.0, 18.1.0
>         Environment: Ubuntu 16 and 18
>            Reporter: Dan Cropp
>            Assignee: Dan Cropp
>         Attachments: core-brief.txt, core-full.txt, core-info.txt, core-locks.txt, core-thread1.txt, messages
>
>
> In the code I submitted for ASTERISK-26968 there is a bug which can cause a crash.  
> We perform a transfer using AMI.
> The transferred call is not answered and we don't receive a transfer result, we then issue a Hangup using AMI.  The call terminates, but the problem is the SUBSCRIPTION/NOTIFY is trying to access session memory after it has been freed by the hangup.
> What's missing is correct session reference counting to make sure it's not released until after we no longer need it.
> We have a fix for this issue which I would like to submit.  I will need to refresh on the steps to make a submission.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list