<p>Joshua Colp <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15868">View Change</a></p><div style="white-space:pre-wrap">Approvals:
George Joseph: Looks good to me, approved
Joshua Colp: Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">pjsip: Add patch for resolving STUN packet lifetime issues.<br><br>In some cases it was possible for a STUN packet to be destroyed<br>prematurely or even destroyed partially multiple times.<br><br>This patch provided by Teluu fixes the lifetime of these<br>packets and ensures they aren't partially destroyed multiple<br>times.<br><br>https://github.com/pjsip/pjproject/pull/2709<br><br>ASTERISK-29377<br><br>Change-Id: Ie842ad24ddf345e01c69a4d333023f05f787abca<br>---<br>A third-party/pjproject/patches/0100-fix-double-stun-free.patch<br>1 file changed, 82 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/third-party/pjproject/patches/0100-fix-double-stun-free.patch b/third-party/pjproject/patches/0100-fix-double-stun-free.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..b1cfcfd</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0100-fix-double-stun-free.patch</span><br><span>@@ -0,0 +1,82 @@</span><br><span style="color: hsl(120, 100%, 40%);">+commit f0ff5817d0647bdecd1ec99488db9378e304cf83</span><br><span style="color: hsl(120, 100%, 40%);">+Author: sauwming <ming@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Mon May 17 09:56:27 2021 +0800</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ Fix double free of stun session (#2709)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjnath/include/pjnath/stun_session.h b/pjnath/include/pjnath/stun_session.h</span><br><span style="color: hsl(120, 100%, 40%);">+index bee630ab4..afca06911 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjnath/include/pjnath/stun_session.h</span><br><span>++++ b/pjnath/include/pjnath/stun_session.h</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -341,6 +341,7 @@ struct pj_stun_tx_data</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_pool_t *pool; /**< Pool. */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_stun_session *sess; /**< The STUN session. */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_stun_msg *msg; /**< The STUN message. */</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_bool_t is_destroying; /**< Is destroying? */</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ void *token; /**< The token. */</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjnath/src/pjnath/stun_session.c b/pjnath/src/pjnath/stun_session.c</span><br><span style="color: hsl(120, 100%, 40%);">+index f2b4f7058..d436b94bf 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjnath/src/pjnath/stun_session.c</span><br><span>++++ b/pjnath/src/pjnath/stun_session.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -167,16 +167,27 @@ static void tdata_on_destroy(void *arg)</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_stun_tx_data *tdata = (pj_stun_tx_data*)arg;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ if (tdata->grp_lock) {</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_grp_lock_dec_ref(tdata->sess->grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_pool_safe_release(&tdata->pool);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ static void destroy_tdata(pj_stun_tx_data *tdata, pj_bool_t force)</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+- TRACE_((THIS_FILE, "tdata %p destroy request, force=%d, tsx=%p", tdata,</span><br><span style="color: hsl(120, 100%, 40%);">+- force, tdata->client_tsx));</span><br><span style="color: hsl(120, 100%, 40%);">++ TRACE_((THIS_FILE,</span><br><span style="color: hsl(120, 100%, 40%);">++ "tdata %p destroy request, force=%d, tsx=%p, destroying=%d",</span><br><span style="color: hsl(120, 100%, 40%);">++ tdata, force, tdata->client_tsx, tdata->is_destroying));</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Just return if destroy has been requested before */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (tdata->is_destroying)</span><br><span style="color: hsl(120, 100%, 40%);">++ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* STUN session may have been destroyed, except when tdata is cached. */</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ tdata->is_destroying = PJ_TRUE;</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tdata->res_timer.id != PJ_FALSE) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_timer_heap_cancel_if_active(tdata->sess->cfg->timer_heap,</span><br><span style="color: hsl(120, 100%, 40%);">+ &tdata->res_timer, PJ_FALSE);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -189,7 +200,6 @@ static void destroy_tdata(pj_stun_tx_data *tdata, pj_bool_t force)</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_stun_client_tsx_set_data(tdata->client_tsx, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tdata->grp_lock) {</span><br><span style="color: hsl(120, 100%, 40%);">+- pj_grp_lock_dec_ref(tdata->sess->grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_dec_ref(tdata->grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ tdata_on_destroy(tdata);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -200,11 +210,11 @@ static void destroy_tdata(pj_stun_tx_data *tdata, pj_bool_t force)</span><br><span style="color: hsl(120, 100%, 40%);">+ /* "Probably" this is to absorb retransmission */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_time_val delay = {0, 300};</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_stun_client_tsx_schedule_destroy(tdata->client_tsx, &delay);</span><br><span style="color: hsl(120, 100%, 40%);">++ tdata->is_destroying = PJ_FALSE;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_list_erase(tdata);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tdata->grp_lock) {</span><br><span style="color: hsl(120, 100%, 40%);">+- pj_grp_lock_dec_ref(tdata->sess->grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_dec_ref(tdata->grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ tdata_on_destroy(tdata);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -238,7 +248,7 @@ static void on_cache_timeout(pj_timer_heap_t *timer_heap,</span><br><span style="color: hsl(120, 100%, 40%);">+ sess = tdata->sess;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_acquire(sess->grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+- if (sess->is_destroying) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (sess->is_destroying || tdata->is_destroying) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_grp_lock_release(sess->grp_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15868">change 15868</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15868"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 18 </div>
<div style="display:none"> Gerrit-Change-Id: Ie842ad24ddf345e01c69a4d333023f05f787abca </div>
<div style="display:none"> Gerrit-Change-Number: 15868 </div>
<div style="display:none"> Gerrit-PatchSet: 3 </div>
<div style="display:none"> Gerrit-Owner: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>