[asterisk-bugs] [JIRA] (ASTERISK-30156) sip_rtp_read: crash for video rtp session variable (vrtp) not inizialized
Diego Busacca (JIRA)
noreply at issues.asterisk.org
Tue Jul 26 04:41:08 CDT 2022
Diego Busacca created ASTERISK-30156:
----------------------------------------
Summary: sip_rtp_read: crash for video rtp session variable (vrtp) not inizialized
Key: ASTERISK-30156
URL: https://issues.asterisk.org/jira/browse/ASTERISK-30156
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Channels/chan_sip/SRTP
Affects Versions: 16.8.0
Environment: Centos 7.8 64 bit
Reporter: Diego Busacca
Severity: Major
Hello,
in a new installation we're experiencing some random crash. Analyzing the core dump with gdb we traced back the issue to a null pointer exception in sip_rtp_read of chan_sip
We're using asterisk 16.8-cert5 but the affected function is the same in main.
Using {{gdb}} and {{bt}} we got:
{noformat}
#0 ast_rtp_instance_read (instance=0x0, rtcp=rtcp at entry=1) at rtp_engine.c:583
#1 0x00007f06fca3f421 in sip_rtp_read (faxdetect=<synthetic pointer>, p=0x7f05943f8b50, ast=0x7f0568a88e90) at chan_sip.c:8625
#2 sip_read (ast=0x7f0568a88e90) at chan_sip.c:8722
#3 0x00000000004b1852 in __ast_read (chan=0x7f0568a88e90, dropaudio=dropaudio at entry=0, dropnondefault=dropnondefault at entry=1) at channel.c:3757
#4 0x00000000004b258c in ast_read (chan=<optimized out>) at channel.c:4285
#5 0x00007f06f7b00c8b in run_agi (argv=0x7f05268e3978, argc=<optimized out>, dead=0, status=0x7f05268e3830, pid=<optimized out>, agi=0x7f05268e38a0, request=<optimized out>, chan=0x7f0568a88e90) at res_agi.c:4180
#6 agi_exec_full (chan=<optimized out>, data=<optimized out>, enhanced=<optimized out>, dead=<optimized out>) at res_agi.c:4530
#7 0x0000000000535b29 in pbx_exec (c=c at entry=0x7f0568a88e90, app=app at entry=0x35e4fb0, data=data at entry=0x7f05268e5b30 "agi://127.0.0.1:9130/cc_service.agi?TELENIA=2_0_3_2_HOLIDAYBASIC_0_0_0") at pbx_app.c:492
#8 0x0000000000529190 in pbx_extension_helper (c=c at entry=0x7f0568a88e90, context=0x7f0568a89850 "telenia_services_op", exten=exten at entry=0x7f0568a898a0 "2_0_3_2_HOLIDAYBASIC_0_0_0", priority=priority at entry=1,
label=label at entry=0x0, callerid=callerid at entry=0x7f058c0431c0 "3059", action=action at entry=E_SPAWN, found=found at entry=0x7f05268e7bc0, combined_find_spawn=combined_find_spawn at entry=1, con=0x0) at pbx.c:2947
#9 0x000000000052b28a in ast_spawn_extension (combined_find_spawn=1, found=0x7f05268e7bc0, callerid=0x7f058c0431c0 "3059", priority=1, exten=0x7f0568a898a0 "2_0_3_2_HOLIDAYBASIC_0_0_0", context=<optimized out>,
c=0x7f0568a88e90) at pbx.c:4197
#10 __ast_pbx_run (c=c at entry=0x7f0568a88e90, args=args at entry=0x0) at pbx.c:4371
#11 0x000000000052c7cb in pbx_thread (data=data at entry=0x7f0568a88e90) at pbx.c:4695
#12 0x00000000005acecd in dummy_start (data=<optimized out>) at utils.c:1249
#13 0x00007f0763ac4ea5 in start_thread (arg=0x7f05268e8700) at pthread_create.c:307
#14 0x00007f0762e658dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
{noformat}
Analizing the {{frame 1}} we got:
{noformat}
8625 f = ast_rtp_instance_read(p->vrtp, 1); /* RTCP Control Channel for video */
{noformat}
In sip_rtp_read there is a NULL guard for p->rtp but not for p->vrtp.
{noformat}
/*! \brief Read RTP from network */
static struct ast_frame *sip_rtp_read(struct ast_channel *ast, struct sip_pvt *p, int *faxdetect)
{
/* Retrieve audio/etc from channel. Assumes p->lock is already held. */
struct ast_frame *f;
if (!p->rtp) {
/* We have no RTP allocated for this channel */
return &ast_null_frame;
}
switch(ast_channel_fdno(ast)) {
case 0:
f = ast_rtp_instance_read(p->rtp, 0); /* RTP Audio */
break;
case 1:
f = ast_rtp_instance_read(p->rtp, 1); /* RTCP Control Channel */
break;
case 2:
f = ast_rtp_instance_read(p->vrtp, 0); /* RTP Video */
break;
case 3:
f = ast_rtp_instance_read(p->vrtp, 1); /* RTCP Control Channel for video */
break;
{noformat}
We're thinking to add a NULL safety guard in the vrtp swicth casese:
{noformat}
case 2:
if (!p->vrtp) {
/* We have no VRTP allocated for this channel */
return &ast_null_frame;
}
f = ast_rtp_instance_read(p->vrtp, 0); /* RTP Video */
break;
case 3:
if (!p->vrtp) {
/* We have no VRTP allocated for this channel */
return &ast_null_frame;
}
f = ast_rtp_instance_read(p->vrtp, 1); /* RTCP Control Channel for video */
break;
{noformat}
There can be unexpected behaviors?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list