[Asterisk-code-review] pjproject bundled: Add patch to address SSL crash (asterisk[14])

George Joseph asteriskteam at digium.com
Mon Oct 17 11:41:16 CDT 2016 

George Joseph has uploaded a new change for review.

  https://gerrit.asterisk.org/4135

Change subject: pjproject_bundled:  Add patch to address SSL crash
......................................................................

pjproject_bundled:  Add patch to address SSL crash

Addresses crashes when an attempt is made to operate on an SSL socket
after the socket has been closed.

Change-Id: I421305b357558b4f9e690210dc0f4831ef4b3002
---
A third-party/pjproject/patches/0005-Re-1969-Fix-crash-on-using-an-already-destroyed-SSL-.patch
1 file changed, 164 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/35/4135/1

diff --git a/third-party/pjproject/patches/0005-Re-1969-Fix-crash-on-using-an-already-destroyed-SSL-.patch b/third-party/pjproject/patches/0005-Re-1969-Fix-crash-on-using-an-already-destroyed-SSL-.patch
new file mode 100644
index 0000000..551e61a
--- /dev/null
+++ b/third-party/pjproject/patches/0005-Re-1969-Fix-crash-on-using-an-already-destroyed-SSL-.patch
@@ -0,0 +1,164 @@
+From 9e67e0d5c3fdc747530a956038b374fca4748b76 Mon Sep 17 00:00:00 2001
+From: riza <riza at localhost>
+Date: Thu, 13 Oct 2016 09:02:50 +0000
+Subject: [PATCH 1/4] Re #1969: Fix crash on using an already destroyed SSL
+ socket.
+
+---
+ pjlib/src/pj/ssl_sock_ossl.c | 66 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 42 insertions(+), 24 deletions(-)
+
+diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
+index fa0db2d..ceab67a 100644
+--- a/pjlib/src/pj/ssl_sock_ossl.c
++++ b/pjlib/src/pj/ssl_sock_ossl.c
+@@ -822,7 +822,10 @@ static void close_sockets(pj_ssl_sock_t *ssock)
+     pj_lock_acquire(ssock->write_mutex);
+     asock = ssock->asock;
+     if (asock) {
+-        ssock->asock = NULL;
++        // Don't set ssock->asock to NULL, as it may trigger assertion in
++        // send operation. This should be safe as active socket will simply
++        // return PJ_EINVALIDOP on any operation if it is already closed.
++        //ssock->asock = NULL;
+         ssock->sock = PJ_INVALID_SOCKET;
+     }
+     sock = ssock->sock;
+@@ -841,9 +844,9 @@ static void close_sockets(pj_ssl_sock_t *ssock)
+ /* Reset SSL socket state */
+ static void reset_ssl_sock_state(pj_ssl_sock_t *ssock)
+ {
++    pj_lock_acquire(ssock->write_mutex);
+     ssock->ssl_state = SSL_STATE_NULL;
+-
+-    destroy_ssl(ssock);
++    pj_lock_release(ssock->write_mutex);
+ 
+     close_sockets(ssock);
+ 
+@@ -1612,6 +1615,21 @@ static pj_status_t do_handshake(pj_ssl_sock_t *ssock)
+     return PJ_EPENDING;
+ }
+ 
++static void ssl_on_destroy(void *arg)
++{
++    pj_pool_t *pool = NULL;
++    pj_ssl_sock_t *ssock = (pj_ssl_sock_t*)arg;
++
++    destroy_ssl(ssock);
++
++    pj_lock_destroy(ssock->write_mutex);
++
++    pool = ssock->pool;
++    ssock->pool = NULL;
++    if (pool)
++	pj_pool_release(pool);
++}
++
+ 
+ /*
+  *******************************************************************
+@@ -1830,7 +1848,7 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,
+ 
+     /* Create new SSL socket instance */
+     status = pj_ssl_sock_create(ssock_parent->pool,
+-    				&ssock_parent->newsock_param, &ssock);
++				&ssock_parent->newsock_param, &ssock);
+     if (status != PJ_SUCCESS)
+ 	goto on_return;
+ 
+@@ -1906,12 +1924,10 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,
+ 	if (status != PJ_SUCCESS)
+ 	    goto on_return;
+ 
+-	/* Temporarily add ref the group lock until active socket creation,
+-	 * to make sure that group lock is destroyed if the active socket
+-	 * creation fails.
+-	 */
+ 	pj_grp_lock_add_ref(glock);
+ 	asock_cfg.grp_lock = ssock->param.grp_lock = glock;
++	pj_grp_lock_add_handler(ssock->param.grp_lock, ssock->pool, ssock,
++				ssl_on_destroy);
+     }
+ 
+     pj_bzero(&asock_cb, sizeof(asock_cb));
+@@ -1927,11 +1943,6 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,
+ 				  ssock,
+ 				  &ssock->asock);
+ 
+-    /* This will destroy the group lock if active socket creation fails */
+-    if (asock_cfg.grp_lock) {
+-	pj_grp_lock_dec_ref(asock_cfg.grp_lock);
+-    }
+-
+     if (status != PJ_SUCCESS)
+ 	goto on_return;
+ 
+@@ -2251,17 +2262,26 @@ PJ_DEF(pj_status_t) pj_ssl_sock_create (pj_pool_t *pool,
+     /* Create secure socket mutex */
+     status = pj_lock_create_recursive_mutex(pool, pool->obj_name,
+ 					    &ssock->write_mutex);
+-    if (status != PJ_SUCCESS)
++    if (status != PJ_SUCCESS) {
++	pj_pool_release(pool);
+ 	return status;
++    }
+ 
+     /* Init secure socket param */
+     pj_ssl_sock_param_copy(pool, &ssock->param, param);
++
++    if (ssock->param.grp_lock) {
++	pj_grp_lock_add_ref(ssock->param.grp_lock);
++	pj_grp_lock_add_handler(ssock->param.grp_lock, pool, ssock,
++				ssl_on_destroy);
++    }
++
+     ssock->param.read_buffer_size = ((ssock->param.read_buffer_size+7)>>3)<<3;
+     if (!ssock->param.timer_heap) {
+ 	PJ_LOG(3,(ssock->pool->obj_name, "Warning: timer heap is not "
+ 		  "available. It is recommended to supply one to avoid "
+-		  "a race condition if more than one worker threads "
+-		  "are used."));
++	          "a race condition if more than one worker threads "
++	          "are used."));
+     }
+ 
+     /* Finally */
+@@ -2277,8 +2297,6 @@ PJ_DEF(pj_status_t) pj_ssl_sock_create (pj_pool_t *pool,
+  */
+ PJ_DEF(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock)
+ {
+-    pj_pool_t *pool;
+-
+     PJ_ASSERT_RETURN(ssock, PJ_EINVAL);
+ 
+     if (!ssock->pool)
+@@ -2290,12 +2308,11 @@ PJ_DEF(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock)
+     }
+ 
+     reset_ssl_sock_state(ssock);
+-    pj_lock_destroy(ssock->write_mutex);
+-    
+-    pool = ssock->pool;
+-    ssock->pool = NULL;
+-    if (pool)
+-	pj_pool_release(pool);
++    if (ssock->param.grp_lock) {
++	pj_grp_lock_dec_ref(ssock->param.grp_lock);
++    } else {
++	ssl_on_destroy(ssock);
++    }
+ 
+     return PJ_SUCCESS;
+ }
+@@ -2782,6 +2799,7 @@ pj_ssl_sock_start_accept2(pj_ssl_sock_t *ssock,
+ 
+     /* Start accepting */
+     pj_ssl_sock_param_copy(pool, &ssock->newsock_param, newsock_param);
++    ssock->newsock_param.grp_lock = NULL;
+     status = pj_activesock_start_accept(ssock->asock, pool);
+     if (status != PJ_SUCCESS)
+ 	goto on_error;
+-- 
+2.7.4
+

-- 
To view, visit https://gerrit.asterisk.org/4135
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I421305b357558b4f9e690210dc0f4831ef4b3002
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 14
Gerrit-Owner: George Joseph <gjoseph at digium.com>

More information about the asterisk-code-review mailing list