[asterisk-dev] [Code Review] res_srtp: Fix a crash caused by an attempt to dealloc a session pointer that was never alloced or has already been dealloced.

jrose reviewboard at asterisk.org
Mon Dec 3 10:22:07 CST 2012 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/2228/#review7477
-----------------------------------------------------------


The mistake here is within lib_srtp more so than Asterisk.  srtp_create allocates the session and sets the session pointer value to an alloced struct called 'ctx'. When it fails on srtp_add_stream, it deallocs this session and returns without setting the session to NULL afterwards... which is less than a graceful way to bail out and isn't mentioned in the documentation for srtp_create. (Also not mentioned is the fact that this function can return err_status_bad_param).

- jrose


On Dec. 3, 2012, 10:11 a.m., jrose wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/2228/
> -----------------------------------------------------------
> 
> (Updated Dec. 3, 2012, 10:11 a.m.)
> 
> 
> Review request for Asterisk Developers, Mark Michelson and Matt Jordan.
> 
> 
> Summary
> -------
> 
> If srtp_create fails, session we create for temp will either not be created or else will be dealloced within srtp_create. At present, when we then run ast_srtp_destroy, attempting to dealloc this can cause Asterisk to crash. This patch addresses that by setting the session pointer to NULL so ast_srtp_destroy doesn't attempt to dealloc it.
> 
> As one might expect, this patch doesn't resolve the reporter's problems with actually setting up an srtp enabled SIP call, but it does fix a crash which shouldn't be happening.
> 
> 
> This addresses bug ASTERISK-20499.
>     https://issues.asterisk.org/jira/browse/ASTERISK-20499
> 
> 
> Diffs
> -----
> 
>   /branches/1.8/res/res_srtp.c 377034 
> 
> Diff: https://reviewboard.asterisk.org/r/2228/diff
> 
> 
> Testing
> -------
> 
> The reporter has tested the patch and confirmed that it eliminates the crash.
> 
> 
> Thanks,
> 
> jrose
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20121203/f72eb73d/attachment.htm>

More information about the asterisk-dev mailing list