[asterisk-bugs] [JIRA] (ASTERISK-28794) res_pjsip: Crash when escaping during URI printing

nappsoft (JIRA) noreply at issues.asterisk.org
Wed May 27 04:48:25 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28794?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=250954#comment-250954 ] 

nappsoft commented on ASTERISK-28794:
-------------------------------------

Thanks to some SIP Traces I actually know a bit better what's going on:

it seems like memory sometimes gets corrupted when resending options packets as I have several cases where the following happens (traces filtered by call-id, so I can distinguish resends from new OPTIONS requests):

- the first few OPTIONS packets leave the system correctly (Contact Header: Contact: <sip:290 at xxx.xxx.xxx.xxx:5060>
- then suddenly the user-part of the contact header gets corrupted and the header looks like (example, content can vary): Contact: <sip:%20%20%20 at xxx.xxx.xxx.xxx:5060>
- everything else is ok, only the user-part of the contact header gets corrupted

Usually Asterisk will send out 5 OPTIONS packets (so 4 retries). When this happens everything is ok. Howerver, sometimes it sends more (7 to 8 in the cases I've seen) where the 5th or 6th will become corrupt

However one other strange thing I've discovered: sometimes the OPTIONS retries happen all 4 seconds, but sometimes they seem to start with t1 (first retry after 0.5s, second after 1.5, third after 3.5 and then it starts to send options all 4 seconds). But: whether this happens or not seems not to have an influence on the contact header corruption: in either case this sometimes happens and sometimes doesn't. Anyway this is somehow weird...

> res_pjsip: Crash when escaping during URI printing
> --------------------------------------------------
>
>                 Key: ASTERISK-28794
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28794
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip, Resources/res_pjsip
>    Affects Versions: 16.9.0
>         Environment: musl libc based linux
>            Reporter: nappsoft
>            Assignee: Unassigned
>            Severity: Minor
>              Labels: patch
>         Attachments: refresh_expires.diff
>
>
> Hi,
> We are observing a frequent crash which seems to be a regression as this didn't happen with asterisk 16.9.0.
> In the system this happens most frequently (almost exactly every 15 minutes) we have an outbound registration that is not answering (currently not reachable). As soon as we remove the references to this system (aor, endpoint, registration, ...) it doesn't happen any longer. 
> However we also observed the same crashes on other systems with asterisk 16.9.0 where we do not have such a system configured. So it seems like this can with other (possibliy temporarily) because of other unreachable contacts as well.
> The backtrace is the following:
> #0  0x00007f937e830725 in pj_strncpy2_escape () from /usr/lib/libpjlib-util.so.2
> No symbol table info available.
> #1  0x00007f937e8e2239 in pjsip_url_print () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #2  0x00007f937e8e19e4 in pjsip_name_addr_print () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #3  0x00007f937e8da580 in pjsip_contact_hdr_print () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #4  0x00007f937e8db6f6 in pjsip_msg_print () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #5  0x00007f937e8e80bb in pjsip_tx_data_encode () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #6  0x00007f937e8e2b26 in endpt_on_tx_msg () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #7  0x00007f937e8e8ab5 in pjsip_transport_send () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #8  0x00007f937e8f5bd0 in tsx_send_msg () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #9  0x00007f937e8f560e in tsx_timer_callback () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #10 0x00007f937e7c9b04 in pj_timer_heap_poll () from /usr/lib/libpj.so.2
> No symbol table info available.
> #11 0x00007f937e8e33eb in pjsip_endpt_handle_events2 () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #12 0x00007f937e24bfb8 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:4721
>         delay = {sec = 0, msec = 10}
> #13 0x00007f937e7b8946 in thread_main () from /usr/lib/libpj.so.2
> No symbol table info available.
> #14 0x00007f938029cb82 in sem_open () from /lib/ld-musl-x86_64.so.1
> No symbol table info available.
> #15 0x00007f937d1f9000 in ?? ()
> No symbol table info available.
> #16 0x00007f938029ec48 in __strftime_fmt_1 () from /lib/ld-musl-x86_64.so.1
> No symbol table info available.
> #17 0x0000000000000000 in ?? ()
> No symbol table info available.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list