[asterisk-dev] [Code Review] chan_sip: fixes provisional keepalive scheduled item crash

David Vossel dvossel at digium.com
Fri Aug 6 15:44:54 CDT 2010


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/849/
-----------------------------------------------------------

Review request for Asterisk Developers and Russell Bryant.


Summary
-------

There is a scheduler item in chan_sip that keeps sending the last provisional message in response to an INVITE Request for a period of time until a final response to that INVITE is sent.  Because of the way this scheduler item works, it requires a reference to a sip_pvt pointer to work properly.  The problem with this is that it is currently possible (but rare) for the sip_pvt to get destroyed and that scheduler item to still exist.  When this occurs, the scheduler event fires and attempts to access a freed sip_pvt which causes a crash.

In 1.6.x through trunk this is not an issue because we have ref counted dialogs, but in 1.4 this is a pain.  Instead of backporting ref counted dialogs into 1.4 I have created a separate ref counted object just for this scheduler item that both the scheduler and the dialog own.  This makes it possible for the dialog to get destroyed and the scheduler callback detect that that dialog no longer exists it it was not able to be removed.

For all other scheduler items this does not appear to be an issue.  It is because this scheduled item can be scheduled/deleted from multiple threads through the sip_indicate() function that this is a problem.


Diffs
-----

  /branches/1.4/channels/chan_sip.c 281083 

Diff: https://reviewboard.asterisk.org/r/849/diff


Testing
-------

I made calls and verified that provisional keepalive stops once the final response is sent to an incoming INVITE.


Thanks,

David




More information about the asterisk-dev mailing list