[asterisk-dev] ASTERISK-26978 - rtp: Crash in ast_rtp_codecs_payload_code()

Ross Beer ross.beer at outlook.com
Wed May 24 10:12:43 CDT 2017


>>

>> Therefore I have added the following code to check for this:
>>
>>
>>         if (format1->codec == NULL || format2->codec == NULL) {
>> return AST_FORMAT_CMP_NOT_EQUAL;
>> }
>>
>> The question is, should 'codec' be NULL if 'format1' and 'format2' are
.> not NULL? Is adding the above check, the correct fix?

>A format can't be created and remain valid without a codec being present
>on it. A format itself is a codec + extra data about it. Identifying how
>it became NULL and why the format is no longer valid would uncover the
>real fix.

Does the format object need locking so that anything acting on it doesn't have the object pulled from under it?

My theory is that a channel is attempting to unallocated the 'format' object while it is trying to be compared. It, therefore, makes it through the NULL checks on 'format1' and 'format2' but is in the process of being freed.

There are quite a few backtraces on this and the linked issue. Would anyone be willing to take a look, my C skills are not that good?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20170524/b8250be9/attachment-0001.html>


More information about the asterisk-dev mailing list