[asterisk-bugs] [JIRA] (ASTERISK-28743) Asterisk is crashing if the 200 OK with SDP

Joshua C. Colp (JIRA) noreply at issues.asterisk.org
Fri Feb 14 10:19:25 CST 2020 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-28743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Work on ASTERISK-28743 started by sungtae kim.

> Asterisk is crashing if the 200 OK with SDP
> -------------------------------------------
>
>                 Key: ASTERISK-28743
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28743
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: 16.8.0, 17.2.0
>            Reporter: sungtae kim
>            Assignee: sungtae kim
>              Labels: security
>
> When the Asterisk receives 200 OK with SDP, the pjsip module fires a couple of callback functions.
> But in some conditions, this makes a race condition and causing the crash eventually.
> For example,
> * If the outgoing call connected to the existed Bridge, the Asterisk sends a Re-Invite after receiving 200 OK.
> * But if the received SDP was not acceptable, the Asterisk proceeding a hangup procedure.
> * this 2 actions sending reinvite and doing hangup are making a race condition in the ast_sip_session_refresh().
> {noformat}
> (gdb) where
> #0  0x00007f8f187f10c2 in pj_strdup (pool=0x7f8f04068e80, dst=0x7f8edc219398, src=0x0) at ../include/pj/string_i.h:40
> #1  0x00007f8f1879ae84 in pjmedia_sdp_neg_modify_local_offer2 (pool=0x7f8f04068e80, neg=0x7f8f04571270, flags=1, local=0x7f8edc0a8af8) at ../src/pjmedia/sdp_neg.c:336
> #2  0x00007f8f187178b0 in pjsip_inv_reinvite (inv=0x7f8f04110638, new_contact=0x0, new_offer=0x7f8edc0a8af8, p_tdata=0x7f8eaba18ba0) at ../src/pjsip-ua/sip_inv.c:3004
> #3  0x00007f8ec6fcbdb1 in ast_sip_session_refresh (session=0x7f8f04097cd0, on_request_creation=0x0, on_sdp_creation=0x0, on_response=0x7f8eafdc6786 <on_topology_change_response>,
>     method=AST_SIP_SESSION_REFRESH_METHOD_INVITE, generate_new_sdp=1, media_state=0x7f8ee801aef0) at res_pjsip_session.c:1768
> #4  0x00007f8ec6fca580 in send_delayed_request (session=0x7f8f04097cd0, delay=0x7f8f04ee6020) at res_pjsip_session.c:1256
> #5  0x00007f8ec6fca8e2 in invite_terminated (vsession=0x7f8f04097cd0) at res_pjsip_session.c:1355
> #6  0x0000557ce3889d5a in ast_taskprocessor_execute (tps=0x7f8f042299a0) at taskprocessor.c:1237
> #7  0x0000557ce3893954 in execute_tasks (data=0x7f8f042299a0) at threadpool.c:1354
> #8  0x0000557ce3889d5a in ast_taskprocessor_execute (tps=0x557ce6683d30) at taskprocessor.c:1237
> #9  0x0000557ce3891507 in threadpool_execute (pool=0x557ce6683a70) at threadpool.c:367
> #10 0x0000557ce3893186 in worker_active (worker=0x7f8efc0014a0) at threadpool.c:1137
> #11 0x0000557ce3892ef6 in worker_start (arg=0x7f8efc0014a0) at threadpool.c:1056
> #12 0x0000557ce389c896 in dummy_start (data=0x7f8efc001f90) at utils.c:1249
> #13 0x00007f8f16e834a4 in start_thread (arg=0x7f8eaba19700) at pthread_create.c:456
> #14 0x00007f8f15744d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
>  
>  
> (gdb) frame 2
> #2  0x00007f8f187178b0 in pjsip_inv_reinvite (inv=0x7f8f04110638, new_contact=0x0, new_offer=0x7f8edc0a8af8, p_tdata=0x7f8eaba18ba0) at ../src/pjsip-ua/sip_inv.c:3004
> 3004            status = pjmedia_sdp_neg_modify_local_offer2(
>  
>  
> (gdb) list 2980
> 2975
> 2976        } else switch (pjmedia_sdp_neg_get_state(inv->neg)) {
> 2977
> 2978            case PJMEDIA_SDP_NEG_STATE_NULL:
> 2979            pj_assert(!"Unexpected SDP neg state NULL");
> 2980            status = PJ_EBUG;
> 2981            goto on_return;
> 2982
> 2983            case PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER:
> 2984            PJ_LOG(4,(inv->obj_name,
> 2985                  "pjsip_inv_reinvite: already have an offer, new "
> 2986                  "offer is ignored"));
> 2987            break;
> 2988
> 2989            case PJMEDIA_SDP_NEG_STATE_REMOTE_OFFER:
> 2990            status = pjmedia_sdp_neg_set_local_answer(inv->pool_prov,
> 2991                                  inv->neg,
> 2992                                  new_offer);
> 2993            if (status != PJ_SUCCESS)
> 2994                goto on_return;
> 2995            break;
> 2996
> 2997            case PJMEDIA_SDP_NEG_STATE_WAIT_NEGO:
> 2998            PJ_LOG(4,(inv->obj_name,
> 2999                  "pjsip_inv_reinvite: SDP in WAIT_NEGO state, new "
> 3000                  "offer is ignored"));
> 3001            break;
> 3002
> 3003            case PJMEDIA_SDP_NEG_STATE_DONE:
> 3004            status = pjmedia_sdp_neg_modify_local_offer2(
> 3005                                 inv->pool_prov, inv->neg,
> 3006                                 inv->sdp_neg_flags, new_offer);
> 3007            if (status != PJ_SUCCESS)
> 3008                goto on_return;
> 3009            break;
> 3010        }
> 3011        }
>  
>  
> (gdb) p inv->neg->state
> $30 = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list