[asterisk-dev] Race condition in app_meetme generates a SIGSEGV
BJ Weschke
bweschke at gmail.com
Wed May 31 03:42:29 MST 2006
On 5/31/06, Constantine Filin <cfilin at intermedia.net> wrote:
> Greetings
>
> A race condition in function "conf_run" happens when a caller is joining
> a conference just before the last conference use it leaving it.
>
> Here's the details:
>
> Say, the last caller "A" is leaving the conference while another caller
> "B"
> is joining it.
>
> A's thread is between line 1565 in app_meetme.c and line 1617,
> "conflock" mutex is locked. B's thread is waiting for "conflock" mutex
> on line 865 of app_meetme.c.
>
> A's thread is seeing that it is the last user and on line 1582 it calls
> "conf_free" releasing the conference. Then A's thread proceeds to line
> 1617 to release "conflock".
>
> Once "conflock"" is released, B's thread grabs it on line 865 and
> accesses "conf" structure that has just been released by A's thread.
>
> Yesterday this race condition crashed my PBX. :(
>
> I think the right solution is to keep conference reference counting at
> the place where "conf_run" is called.
>
> Who is the main caretaker of app_meetme.c? I would like to work with
> this person to develop a fix.
>
This patch went in yesterday to /trunk of app_meetme.c.
--- trunk/apps/app_meetme.c (original)
+++ trunk/apps/app_meetme.c Tue May 30 12:33:37 2006
@@ -1730,12 +1730,12 @@
ast_update_realtime("meetme", "confno", conf->confno,
"members", members, NULL);
if (confflags & CONFFLAG_MARKEDUSER)
conf->markedusers--;
+ /* Remove ourselves from the list */
+ AST_LIST_REMOVE(&conf->userlist, user, list);
if (AST_LIST_EMPTY(&conf->userlist)) {
/* close this one when no more users and no references*/
if (!conf->refcount)
conf_free(conf);
- } else {
- AST_LIST_REMOVE(&conf->userlist, user, list);
}
/* Return the number of seconds the user was in the conf */
snprintf(meetmesecs, sizeof(meetmesecs), "%d", (int)
(time(NULL) - user->jointime));
Does this correct your issue? If not, let's post a bug to
bugs.digium.com to get it fixed. Thanks.
--
Bird's The Word Technologies, Inc.
http://www.btwtech.com/
More information about the asterisk-dev
mailing list