Summary: | ASTERISK-21211: chan_iax2 - unprotected access of iaxs[peer->callno] potentially results in segfault | ||
Reporter: | Jaco Kroon (jkroon) | Labels: | |
Date Opened: | 2013-03-06 11:52:46.000-0600 | Date Closed: | 2015-04-08 07:00:36 |
Priority: | Critical | Regression? | |
Status: | Closed/Complete | Components: | Channels/chan_iax2 |
Versions: | 11.2.1 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) asterisk-11.2.1-iax2_poke-segfault.diff | |
Description: | chan_iax2.c, specifically in function iax2_poke_peer, a completely unprotected access to iaxs[peer->callno] is made. Specifically I had a segfault trigger on line 12230, an access to iaxs[peer->callno] - the second in a sequence, so peer->callno can definitely change between the two
It is my understanding that: 1. peer->callno can change outside of the function , thus it's probably unsafe to use the raw value as per lines 12223, 12229 and 12230. I believe this should be callno, and not peer->callno. Please correct me if I'm wrong. This can either happen by us calling iax2_destroy, or simply another thread also scheduling a POKE on the same peer. 2. All reads and writes to iaxs[X] should be protected by a lock of iaxsl[X]. Lines 12229 and 12230 violates this currently. I suspect my crash resulted from a sequence where a POKE was in process of being scheduled, another thread then called iax2_poke_peer for the same peer, called iax2_destroy on the iaxs[] busy being set up, and *boom* major catastrophe. | ||
Comments: | By: Jaco Kroon (jkroon) 2013-03-06 12:04:46.923-0600 Suggested patch. By: Y Ateya (yateya) 2015-04-05 09:05:35.428-0500 @Jaco Kroon: Were you able to re-produce this problem? The patch seems reasonable. Could you please create review board with this patch? By: Jaco Kroon (jkroon) 2015-04-07 06:11:05.425-0500 Haven't been running asterisk without this patch since I submitted it. Wouldn't know, but I would expect a deadlock or some other badness if this patch became superfluous. https://reviewboard.asterisk.org/r/4599/ By: Matt Jordan (mjordan) 2015-04-08 07:00:24.359-0500 Merged in 11/13/trunk. Thanks for the patch/bug fix! |