[asterisk-dev] [Code Review] 4599: chan_iax2 - unprotected access of iaxs[peer->callno] potentially results in segfault
Jaco Kroon
reviewboard at asterisk.org
Wed Apr 8 06:59:32 CDT 2015
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4599/
-----------------------------------------------------------
(Updated April 8, 2015, 6:59 a.m.)
Status
------
This change has been marked as submitted.
Review request for Asterisk Developers.
Changes
-------
Committed in revision 434291
Bugs: ASTERISK-21211
https://issues.asterisk.org/jira/browse/ASTERISK-21211
Repository: Asterisk
Description
-------
chan_iax2.c, specifically in function iax2_poke_peer, a completely unprotected access to iaxs[peer->callno] is made. Specifically I had a segfault trigger on line 12230, an access to iaxs[peer->callno] - the second in a sequence, so peer->callno can definitely change between the two
It is my understanding that:
1. peer->callno can change outside of the function , thus it's probably unsafe to use the raw value as per lines 12223, 12229 and 12230. I believe this should be callno, and not peer->callno. Please correct me if I'm wrong. This can either happen by us calling iax2_destroy, or simply another thread also scheduling a POKE on the same peer.
2. All reads and writes to iaxs[X] should be protected by a lock of iaxsl[X]. Lines 12229 and 12230 violates this currently.
I suspect my crash resulted from a sequence where a POKE was in process of being scheduled, another thread then called iax2_poke_peer for the same peer, called iax2_destroy on the iaxs[] busy being set up, and boom major catastrophe.
Diffs
-----
http://svn.asterisk.org/svn/asterisk/trunk/channels/chan_iax2.c 434210
Diff: https://reviewboard.asterisk.org/r/4599/diff/
Testing
-------
Been running since 11.2.1 with this patch, specifically 6/3/2013 (more than two years) in multiple production environments. Many fewer segfaults.
Thanks,
Jaco Kroon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20150408/56d2ccb4/attachment.html>
More information about the asterisk-dev
mailing list