[asterisk-dev] Race condition in app_meetme generates a SIGSEGV

Constantine Filin cfilin at intermedia.net
Wed May 31 02:32:26 MST 2006


Greetings 

A race condition in function "conf_run" happens when a caller is joining
a conference just before the last conference use it leaving it. 

Here's the details:

Say, the last caller "A" is leaving the conference while another caller
"B"
is joining it.

A's thread is between line 1565 in app_meetme.c and line 1617,
"conflock" mutex is locked. B's thread is waiting for "conflock" mutex
on line 865 of app_meetme.c.

A's thread is seeing that it is the last user and on line 1582 it calls
"conf_free" releasing the conference. Then A's thread proceeds to line
1617 to release "conflock".

Once "conflock"" is released, B's thread grabs it on line 865 and
accesses "conf" structure that has just been released by A's thread.

Yesterday this race condition crashed my PBX. :(

I think the right solution is to keep conference reference counting at
the place where "conf_run" is called.

Who is the main caretaker of app_meetme.c? I would like to work with
this person to develop a fix.

Thanks

-c



More information about the asterisk-dev mailing list