[Asterisk-code-review] res/res_pjsip_session.c: Check that media type matches in function as... (asterisk[16])

George Joseph asteriskteam at digium.com
Thu Jan 7 09:15:50 CST 2021 

Attention is currently required from: Robert Cripps.
George Joseph has posted comments on this change. ( https://gerrit.asterisk.org/c/asterisk/+/15230 )

Change subject: res/res_pjsip_session.c: Check that media type matches in function ast_sip_session_media_state_add.
......................................................................


Patch Set 1:

(1 comment)

File res/res_pjsip_session.c:

https://gerrit.asterisk.org/c/asterisk/+/15230/comment/73dcd761_24b3dcda 
PS1, Line 533: 	if (!session_media) {
> To dive a bit deeper I've done some tracing of the path that fails my patch condition and indeed it uses the session_media from the if statement below ie the active state so - Given that it's an error to return a non matching "type" from the first if statement how exactly does it leak and how to prevent a leak?

Before your patch, if there's an existing session_media we just return it and there's no reference counting issues.  If there's no existing session_media, we either grab the one from the active state or we create a new one and call AST_VECTOR_REPLACE which would replace a NULL with the active or new one.  Again, no reference counting issues.

With your patch, if there's an existing session_media and the type doesn't match, we continue on and, in your case, grab the one from the active state using the same "session_media" variable.  When we call AST_VECTOR_REPLACE, we're overwriting the pointer to the non-matching session_media in that slot in the vector with a pointer to the active one.  Now, the original, non-matching one is orphaned and never has its reference count decremented.  If you compile Asterisk using the leak sanitizer (LEAK_SANITIZER under Compiler Flags), run your test with Asterisk in a foreground window, then stop Asterisk, you may see that object show up when the leak sanitizer dumps the orphaned memory allocations.

The fix is really easy...   Add a new variable "current_session_media" initialized to NULL and use _that_ to retrieve the existing one.  If it exists and the type matches, great.  That's what you return.  If not, you continue on.  After the AST_VECTOR_REPLACE returns successfully, just call ao2_cleanup(current_session_media) which tests for NULL and decrements the reference if it's not NULL.



-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15230
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 16
Gerrit-Change-Id: I6f6efa9b821ebe8881bb4c8c957f8802ddcb4b5d
Gerrit-Change-Number: 15230
Gerrit-PatchSet: 1
Gerrit-Owner: Robert Cripps <rcripps at voxbone.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Attention: Robert Cripps <rcripps at voxbone.com>
Gerrit-Comment-Date: Thu, 07 Jan 2021 15:15:50 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Robert Cripps <rcripps at voxbone.com>
Comment-In-Reply-To: George Joseph <gjoseph at digium.com>
Gerrit-MessageType: comment
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210107/c24f4a6a/attachment.html>

More information about the asterisk-code-review mailing list