<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/19513">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span></span><br></pre><div style="white-space:pre-wrap">Approvals:
George Joseph: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_pjsip: prevent crash on websocket disconnect<br><br>When a websocket (or potentially any stateful connection) is quickly<br>created then destroyed, it is possible that the qualify thread will<br>destroy the transaction before the initialzing thread is finished<br>with it.<br><br>Depending on the timing, this can cause an assertion within pjsip.<br><br>To prevent this, ast_send_stateful_response will now create the group<br>lock and add a reference to it before creating the transaction.<br><br>While this should resolve the crash, there is still the potential that<br>the contact will not be cleaned up properly, see:ASTERISK~29286. As a<br>result, the contact has to 'time out' before it will be removed.<br><br>ASTERISK-28689<br><br>Change-Id: Id050fded2247a04d8f0fc5b8a2cf3e5482cb8cee<br>---<br>M res/res_pjsip.c<br>1 file changed, 64 insertions(+), 8 deletions(-)<br><br></pre>
<pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/res/res_pjsip.c b/res/res_pjsip.c</span><br><span>index 0ad5ec2..208a277 100644</span><br><span>--- a/res/res_pjsip.c</span><br><span>+++ b/res/res_pjsip.c</span><br><span>@@ -2258,31 +2258,62 @@</span><br><span> return status == PJ_SUCCESS ? 0 : -1;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static void pool_destroy_callback(void *arg)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_pool_t *pool = (pj_pool_t *)arg;</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_endpt_release_pool(ast_sip_get_pjsip_endpoint(), pool);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static void clean_contact_from_tdata(pjsip_tx_data *tdata)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct ast_sip_contact *contact;</span><br><span style="color: hsl(120, 100%, 40%);">+ contact = ast_sip_mod_data_get(tdata->mod_data, supplement_module.id, MOD_DATA_CONTACT);</span><br><span style="color: hsl(120, 100%, 40%);">+ ao2_cleanup(contact);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sip_mod_data_set(tdata->pool, tdata->mod_data, supplement_module.id, MOD_DATA_CONTACT, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_tx_data_dec_ref(tdata);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> int ast_sip_send_stateful_response(pjsip_rx_data *rdata, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint)</span><br><span> {</span><br><span> pjsip_transaction *tsx;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_t *tsx_glock;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_pool_t *pool;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (pjsip_tsx_create_uas(NULL, rdata, &tsx) != PJ_SUCCESS) {</span><br><span style="color: hsl(0, 100%, 40%);">- struct ast_sip_contact *contact;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Create and initialize global lock pool */</span><br><span style="color: hsl(120, 100%, 40%);">+ pool = pjsip_endpt_create_pool(ast_sip_get_pjsip_endpoint(), "stateful response", PJSIP_POOL_TSX_LEN, PJSIP_POOL_TSX_INC);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!pool){</span><br><span> /* ast_sip_create_response bumps the refcount of the contact and adds it to the tdata.</span><br><span> * We'll leak that reference if we don't get rid of it here.</span><br><span> */</span><br><span style="color: hsl(0, 100%, 40%);">- contact = ast_sip_mod_data_get(tdata->mod_data, supplement_module.id, MOD_DATA_CONTACT);</span><br><span style="color: hsl(0, 100%, 40%);">- ao2_cleanup(contact);</span><br><span style="color: hsl(0, 100%, 40%);">- ast_sip_mod_data_set(tdata->pool, tdata->mod_data, supplement_module.id, MOD_DATA_CONTACT, NULL);</span><br><span style="color: hsl(0, 100%, 40%);">- pjsip_tx_data_dec_ref(tdata);</span><br><span style="color: hsl(120, 100%, 40%);">+ clean_contact_from_tdata(tdata);</span><br><span> return -1;</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- pjsip_tsx_recv_msg(tsx, rdata);</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Create with handler so that we can release the pool once the glock derefs out */</span><br><span style="color: hsl(120, 100%, 40%);">+ if(pj_grp_lock_create_w_handler(pool, NULL, pool, &pool_destroy_callback, &tsx_glock) != PJ_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ clean_contact_from_tdata(tdata);</span><br><span style="color: hsl(120, 100%, 40%);">+ pool_destroy_callback((void *) pool);</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ /* We need an additional reference as the qualify thread may destroy this out</span><br><span style="color: hsl(120, 100%, 40%);">+ * from under us. Add it now before it gets added to the tsx. */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_add_ref(tsx_glock);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (pjsip_tsx_create_uas2(NULL, rdata, tsx_glock, &tsx) != PJ_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ clean_contact_from_tdata(tdata);</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_dec_ref(tsx_glock);</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_tsx_recv_msg(tsx, rdata);</span><br><span> supplement_outgoing_response(tdata, sip_endpoint);</span><br><span> </span><br><span> if (pjsip_tsx_send_msg(tsx, tdata) != PJ_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_dec_ref(tsx_glock);</span><br><span> pjsip_tx_data_dec_ref(tdata);</span><br><span> return -1;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_dec_ref(tsx_glock);</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/19513">change 19513</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/19513"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 19 </div>
<div style="display:none"> Gerrit-Change-Id: Id050fded2247a04d8f0fc5b8a2cf3e5482cb8cee </div>
<div style="display:none"> Gerrit-Change-Number: 19513 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Michael Bradeen <mbradeen@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>