[asterisk-bugs] [JIRA] (ASTERISK-30156) sip_rtp_read: crash for video rtp session variable (vrtp) not inizialized

Joshua C. Colp (JIRA) noreply at issues.asterisk.org
Tue Jul 26 07:13:09 CDT 2022 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-30156?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua C. Colp updated ASTERISK-30156:
--------------------------------------

    Status: Open  (was: Triage)

> sip_rtp_read: crash for video rtp session variable (vrtp) not inizialized
> -------------------------------------------------------------------------
>
>                 Key: ASTERISK-30156
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-30156
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/SRTP
>    Affects Versions: 16.8.0
>         Environment: Centos 7.8 64 bit
>            Reporter: Diego Busacca
>            Severity: Major
>
> Hello,
> in a new installation we're experiencing some random crash. Analyzing the core dump with gdb we traced back the issue to a null pointer exception in sip_rtp_read of chan_sip
> We're using asterisk 16.8-cert5 but the affected function is the same in main.
> Using {{gdb}} and {{bt}} we got:
> {noformat}
> #0  ast_rtp_instance_read (instance=0x0, rtcp=rtcp at entry=1) at rtp_engine.c:583
> #1  0x00007f06fca3f421 in sip_rtp_read (faxdetect=<synthetic pointer>, p=0x7f05943f8b50, ast=0x7f0568a88e90) at chan_sip.c:8625
> #2  sip_read (ast=0x7f0568a88e90) at chan_sip.c:8722
> #3  0x00000000004b1852 in __ast_read (chan=0x7f0568a88e90, dropaudio=dropaudio at entry=0, dropnondefault=dropnondefault at entry=1) at channel.c:3757
> #4  0x00000000004b258c in ast_read (chan=<optimized out>) at channel.c:4285
> #5  0x00007f06f7b00c8b in run_agi (argv=0x7f05268e3978, argc=<optimized out>, dead=0, status=0x7f05268e3830, pid=<optimized out>, agi=0x7f05268e38a0, request=<optimized out>, chan=0x7f0568a88e90) at res_agi.c:4180
> #6  agi_exec_full (chan=<optimized out>, data=<optimized out>, enhanced=<optimized out>, dead=<optimized out>) at res_agi.c:4530
> #7  0x0000000000535b29 in pbx_exec (c=c at entry=0x7f0568a88e90, app=app at entry=0x35e4fb0, data=data at entry=0x7f05268e5b30 "agi://127.0.0.1:9130/cc_service.agi?TELENIA=2_0_3_2_HOLIDAYBASIC_0_0_0") at pbx_app.c:492
> #8  0x0000000000529190 in pbx_extension_helper (c=c at entry=0x7f0568a88e90, context=0x7f0568a89850 "telenia_services_op", exten=exten at entry=0x7f0568a898a0 "2_0_3_2_HOLIDAYBASIC_0_0_0", priority=priority at entry=1,
>     label=label at entry=0x0, callerid=callerid at entry=0x7f058c0431c0 "3059", action=action at entry=E_SPAWN, found=found at entry=0x7f05268e7bc0, combined_find_spawn=combined_find_spawn at entry=1, con=0x0) at pbx.c:2947
> #9  0x000000000052b28a in ast_spawn_extension (combined_find_spawn=1, found=0x7f05268e7bc0, callerid=0x7f058c0431c0 "3059", priority=1, exten=0x7f0568a898a0 "2_0_3_2_HOLIDAYBASIC_0_0_0", context=<optimized out>,
>     c=0x7f0568a88e90) at pbx.c:4197
> #10 __ast_pbx_run (c=c at entry=0x7f0568a88e90, args=args at entry=0x0) at pbx.c:4371
> #11 0x000000000052c7cb in pbx_thread (data=data at entry=0x7f0568a88e90) at pbx.c:4695
> #12 0x00000000005acecd in dummy_start (data=<optimized out>) at utils.c:1249
> #13 0x00007f0763ac4ea5 in start_thread (arg=0x7f05268e8700) at pthread_create.c:307
> #14 0x00007f0762e658dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
> {noformat}
> Analizing the {{frame 1}} we got:
> {noformat}
> 8625                    f = ast_rtp_instance_read(p->vrtp, 1);  /* RTCP Control Channel for video */
> {noformat}
> In sip_rtp_read there is a NULL guard for p->rtp but not for p->vrtp.
> {noformat}
> /*! \brief Read RTP from network */
> static struct ast_frame *sip_rtp_read(struct ast_channel *ast, struct sip_pvt *p, int *faxdetect)
> {
> 	/* Retrieve audio/etc from channel.  Assumes p->lock is already held. */
> 	struct ast_frame *f;
> 	if (!p->rtp) {
> 		/* We have no RTP allocated for this channel */
> 		return &ast_null_frame;
> 	}
> 	switch(ast_channel_fdno(ast)) {
> 	case 0:
> 		f = ast_rtp_instance_read(p->rtp, 0);	/* RTP Audio */
> 		break;
> 	case 1:
> 		f = ast_rtp_instance_read(p->rtp, 1);	/* RTCP Control Channel */
> 		break;
> 	case 2:
> 		f = ast_rtp_instance_read(p->vrtp, 0);	/* RTP Video */
> 		break;
> 	case 3:
> 		f = ast_rtp_instance_read(p->vrtp, 1);	/* RTCP Control Channel for video */
> 		break;
> {noformat}
> We're thinking to add a NULL safety guard in the vrtp swicth casese:
> {noformat}
> 	case 2:
>                 if (!p->vrtp) {
> 		     /* We have no VRTP allocated for this channel */
>                      return &ast_null_frame;
> 	        }
> 		f = ast_rtp_instance_read(p->vrtp, 0);	/* RTP Video */
> 		break;
> 	case 3:
>                 if (!p->vrtp) {
> 		     /* We have no VRTP allocated for this channel */
>                      return &ast_null_frame;
> 	        }
> 		f = ast_rtp_instance_read(p->vrtp, 1);	/* RTCP Control Channel for video */
>                 break;
> {noformat}
> There can be unexpected behaviors?



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list