<p>George Joseph has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/13412">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_rtp_asterisk: Add frame list cleanups to ast_rtp_read<br><br>In Asterisk 16+, there are a few places in ast_rtp_read where we've<br>allocated a frame list but return a null frame instead of the list.<br>In these cases, any frames left in the list won't be freed. In the<br>vast majority of the cases, the list is empty when we return so<br>there's nothing to free but there have been leaks reported in the<br>wild that can be traced back to frames left in the list before<br>returning.<br><br>The escape paths now all have logic to free frames left in the<br>list.<br><br>ASTERISK-28609<br>Reported by: Ted G<br><br>Change-Id: Ia1d7075857ebd26b47183c44b1aebb0d8f985f7a<br>---<br>M res/res_rtp_asterisk.c<br>1 file changed, 15 insertions(+), 6 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/12/13412/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c</span><br><span>index c870fce..4429187 100644</span><br><span>--- a/res/res_rtp_asterisk.c</span><br><span>+++ b/res/res_rtp_asterisk.c</span><br><span>@@ -7520,6 +7520,7 @@</span><br><span> </span><br><span> AST_LIST_HEAD_INIT_NOLOCK(&frames);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Only non-bundled instances can change/learn the remote's SSRC implicitly. */</span><br><span> if (!child && !AST_VECTOR_SIZE(&rtp->ssrc_mapping)) {</span><br><span> /* Force a marker bit and change SSRC if the SSRC changes */</span><br><span>@@ -7561,7 +7562,7 @@</span><br><span> </span><br><span> if (!rtp->recv_buffer) {</span><br><span> /* If there is no receive buffer then we can pass back the frame directly */</span><br><span style="color: hsl(0, 100%, 40%);">- return ast_rtp_interpret(instance, srtp, &addr, read_area, res, prev_seqno);</span><br><span style="color: hsl(120, 100%, 40%);">+ goto free_list_and_interpret;</span><br><span> } else if (rtp->expectedrxseqno == -1 || seqno == rtp->expectedrxseqno) {</span><br><span> rtp->expectedrxseqno = seqno + 1;</span><br><span> </span><br><span>@@ -7569,7 +7570,7 @@</span><br><span> * return it directly without duplicating it.</span><br><span> */</span><br><span> if (!ast_data_buffer_count(rtp->recv_buffer)) {</span><br><span style="color: hsl(0, 100%, 40%);">- return ast_rtp_interpret(instance, srtp, &addr, read_area, res, prev_seqno);</span><br><span style="color: hsl(120, 100%, 40%);">+ goto free_list_and_interpret;</span><br><span> }</span><br><span> </span><br><span> if (!AST_VECTOR_REMOVE_CMP_ORDERED(&rtp->missing_seqno, seqno, find_by_value,</span><br><span>@@ -7582,7 +7583,7 @@</span><br><span> * chance it will be overwritten.</span><br><span> */</span><br><span> if (!ast_data_buffer_get(rtp->recv_buffer, seqno + 1)) {</span><br><span style="color: hsl(0, 100%, 40%);">- return ast_rtp_interpret(instance, srtp, &addr, read_area, res, prev_seqno);</span><br><span style="color: hsl(120, 100%, 40%);">+ goto free_list_and_interpret;</span><br><span> }</span><br><span> </span><br><span> /* Otherwise we need to dupe the frame so that the potential processing of frames placed after</span><br><span>@@ -7696,7 +7697,12 @@</span><br><span> AST_VECTOR_RESET(&rtp->missing_seqno, AST_VECTOR_ELEM_CLEANUP_NOOP);</span><br><span> </span><br><span> return AST_LIST_FIRST(&frames);</span><br><span style="color: hsl(0, 100%, 40%);">- } else if (seqno < rtp->expectedrxseqno) {</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* We're finished with the frames list */</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_frame_free(AST_LIST_FIRST(&frames), 0);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (seqno < rtp->expectedrxseqno) {</span><br><span> /* If this is a packet from the past then we have received a duplicate packet, so just drop it */</span><br><span> ast_debug(2, "Received an old packet with sequence number '%d' on RTP instance '%p', dropping it\n",</span><br><span> seqno, instance);</span><br><span>@@ -7807,11 +7813,14 @@</span><br><span> ast_rtcp_calculate_sr_rr_statistics(instance, rtcp_report, remote_address, ice, sr);</span><br><span> }</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- return &ast_null_frame;</span><br><span> }</span><br><span> </span><br><span> return &ast_null_frame;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+free_list_and_interpret:</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_frame_free(AST_LIST_FIRST(&frames), 0);</span><br><span style="color: hsl(120, 100%, 40%);">+ return ast_rtp_interpret(instance, srtp, &addr, read_area, res, prev_seqno);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> }</span><br><span> </span><br><span> /*! \pre instance is locked */</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/13412">change 13412</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/13412"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16 </div>
<div style="display:none"> Gerrit-Change-Id: Ia1d7075857ebd26b47183c44b1aebb0d8f985f7a </div>
<div style="display:none"> Gerrit-Change-Number: 13412 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>