[asterisk-dev] Bridge channel depart (and crash)

[Holger Freyther]

I was looking into the crash reported in ASTERISK-26718 and I have uploaded two changes into gerrit to fix the symptom[1] and hopefully address the cause[2] as well. It would be nice if anyone with a better understanding of stasis and the bridging code can provide feedback.


The crash appears to happen because the stasis control app is unlinked/deleted before the registered after bridge callback is called on the channel which is then following a dangling pointer (use after free). This can happen if imparting the call back to the dial bridge fails.

When imparting fails I am now calling ast_bridge_discard_after_callback to cancel the outstanding callback and the crash vanishes. It prints more error messages of having failed to impart the channel but doesn't crash anymore.


Having fixed the symptom/crash I tried to understand the cause. The log message already provides a lot of details:

WARNING[5290][C-00000a96] bridge.c: Channel PJSIP/ic_proxy_endpoint-00000a95 has a PBX thread and cannot be imparted into bridge 4c35dd9c-4f74-4fdb-af35-261dfd875c04


My attempt is to "park" the pbx in the stasis control. I have placed it the depart_channel function before calling add_to_dial_bridge. This makes the warning disappear (and I didn't hit the assert) in my manual tests. Is this the right fix and the right place to fix it? Should it be moved into add_to_dial_bridge?


looking forward to get your feedback

	holger




[1] https://gerrit.asterisk.org/c/asterisk/+/11254 
[2] https://gerrit.asterisk.org/c/asterisk/+/11255