[asterisk-bugs] [JIRA] (ASTERISK-28743) Asterisk is crashing if the 200 OK with SDP
Joshua C. Colp (JIRA)
noreply at issues.asterisk.org
Fri Feb 14 10:17:25 CST 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-28743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joshua C. Colp updated ASTERISK-28743:
--------------------------------------
Security: None (was: Reporter, Bug Marshals, and Digium)
> Asterisk is crashing if the 200 OK with SDP
> -------------------------------------------
>
> Key: ASTERISK-28743
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28743
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_pjsip
> Affects Versions: 16.8.0, 17.2.0
> Reporter: sungtae kim
> Labels: security
>
> When the Asterisk receives 200 OK with SDP, the pjsip module fires a couple of callback functions.
> But in some conditions, this makes a race condition and causing the crash eventually.
> For example,
> * If the outgoing call connected to the existed Bridge, the Asterisk sends a Re-Invite after receiving 200 OK.
> * But if the received SDP was not acceptable, the Asterisk proceeding a hangup procedure.
> * this 2 actions sending reinvite and doing hangup are making a race condition in the ast_sip_session_refresh().
> {noformat}
> (gdb) where
> #0 0x00007f8f187f10c2 in pj_strdup (pool=0x7f8f04068e80, dst=0x7f8edc219398, src=0x0) at ../include/pj/string_i.h:40
> #1 0x00007f8f1879ae84 in pjmedia_sdp_neg_modify_local_offer2 (pool=0x7f8f04068e80, neg=0x7f8f04571270, flags=1, local=0x7f8edc0a8af8) at ../src/pjmedia/sdp_neg.c:336
> #2 0x00007f8f187178b0 in pjsip_inv_reinvite (inv=0x7f8f04110638, new_contact=0x0, new_offer=0x7f8edc0a8af8, p_tdata=0x7f8eaba18ba0) at ../src/pjsip-ua/sip_inv.c:3004
> #3 0x00007f8ec6fcbdb1 in ast_sip_session_refresh (session=0x7f8f04097cd0, on_request_creation=0x0, on_sdp_creation=0x0, on_response=0x7f8eafdc6786 <on_topology_change_response>,
> method=AST_SIP_SESSION_REFRESH_METHOD_INVITE, generate_new_sdp=1, media_state=0x7f8ee801aef0) at res_pjsip_session.c:1768
> #4 0x00007f8ec6fca580 in send_delayed_request (session=0x7f8f04097cd0, delay=0x7f8f04ee6020) at res_pjsip_session.c:1256
> #5 0x00007f8ec6fca8e2 in invite_terminated (vsession=0x7f8f04097cd0) at res_pjsip_session.c:1355
> #6 0x0000557ce3889d5a in ast_taskprocessor_execute (tps=0x7f8f042299a0) at taskprocessor.c:1237
> #7 0x0000557ce3893954 in execute_tasks (data=0x7f8f042299a0) at threadpool.c:1354
> #8 0x0000557ce3889d5a in ast_taskprocessor_execute (tps=0x557ce6683d30) at taskprocessor.c:1237
> #9 0x0000557ce3891507 in threadpool_execute (pool=0x557ce6683a70) at threadpool.c:367
> #10 0x0000557ce3893186 in worker_active (worker=0x7f8efc0014a0) at threadpool.c:1137
> #11 0x0000557ce3892ef6 in worker_start (arg=0x7f8efc0014a0) at threadpool.c:1056
> #12 0x0000557ce389c896 in dummy_start (data=0x7f8efc001f90) at utils.c:1249
> #13 0x00007f8f16e834a4 in start_thread (arg=0x7f8eaba19700) at pthread_create.c:456
> #14 0x00007f8f15744d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
>
>
> (gdb) frame 2
> #2 0x00007f8f187178b0 in pjsip_inv_reinvite (inv=0x7f8f04110638, new_contact=0x0, new_offer=0x7f8edc0a8af8, p_tdata=0x7f8eaba18ba0) at ../src/pjsip-ua/sip_inv.c:3004
> 3004 status = pjmedia_sdp_neg_modify_local_offer2(
>
>
> (gdb) list 2980
> 2975
> 2976 } else switch (pjmedia_sdp_neg_get_state(inv->neg)) {
> 2977
> 2978 case PJMEDIA_SDP_NEG_STATE_NULL:
> 2979 pj_assert(!"Unexpected SDP neg state NULL");
> 2980 status = PJ_EBUG;
> 2981 goto on_return;
> 2982
> 2983 case PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER:
> 2984 PJ_LOG(4,(inv->obj_name,
> 2985 "pjsip_inv_reinvite: already have an offer, new "
> 2986 "offer is ignored"));
> 2987 break;
> 2988
> 2989 case PJMEDIA_SDP_NEG_STATE_REMOTE_OFFER:
> 2990 status = pjmedia_sdp_neg_set_local_answer(inv->pool_prov,
> 2991 inv->neg,
> 2992 new_offer);
> 2993 if (status != PJ_SUCCESS)
> 2994 goto on_return;
> 2995 break;
> 2996
> 2997 case PJMEDIA_SDP_NEG_STATE_WAIT_NEGO:
> 2998 PJ_LOG(4,(inv->obj_name,
> 2999 "pjsip_inv_reinvite: SDP in WAIT_NEGO state, new "
> 3000 "offer is ignored"));
> 3001 break;
> 3002
> 3003 case PJMEDIA_SDP_NEG_STATE_DONE:
> 3004 status = pjmedia_sdp_neg_modify_local_offer2(
> 3005 inv->pool_prov, inv->neg,
> 3006 inv->sdp_neg_flags, new_offer);
> 3007 if (status != PJ_SUCCESS)
> 3008 goto on_return;
> 3009 break;
> 3010 }
> 3011 }
>
>
> (gdb) p inv->neg->state
> $30 = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list