[Asterisk-Dev] improper locking in chan_sip:: struct sip_pvt's
"packets" list ?
Luigi Rizzo
rizzo at icir.org
Sat Dec 17 11:17:57 MST 2005
I am not 100% sure, but i am under the impression that the "packets"
list in chan_sip.c :: struct sip_pvt is not locked properly.
Specifically, __sip_ack() navigates the list without holding
p->lock, and only acquires that when removing the target from
the list. There is however another procedure, retrans_pkt(),
which can remove records from the list (correctly protected
by the p->lock), which means that there might be
a race condition where __sip_ack() will try to dereference
a freed entry.
Am i wrong ?
cheers
luigi
More information about the asterisk-dev
mailing list