| Summary: | ASTERISK-24970: Crash in res_pjsip_pubsub handling of failed notify | ||
| Reporter: | Scott Griepentrog (sgriepentrog) | Labels: | |
| Date Opened: | 2015-04-16 12:55:27 | Date Closed: | 2015-04-17 14:40:57 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_pjsip_pubsub |
| Versions: | 13.3.2 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | During startup of Asterisk under the right conditions (various pjsip subscriptions in flight), a crash can occur where a deleted tree is referenced.
Valgrind output (first invalid read): {noformat} ==21514== Thread 29: ==21514== Invalid read of size 8 ==21514== at 0x136D8883: send_notify (res_pjsip_pubsub.c:2059) ==21514== by 0x136D9245: pubsub_on_rx_subscribe_request (res_pjsip_pubsub.c:2605) ==21514== by 0x136D993F: pubsub_on_rx_request (res_pjsip_pubsub.c:3090) ==21514== by 0x127F85A6: pjsip_endpt_process_rx_data (in /usr/lib/libpjsip.so.2) ==21514== by 0x16065238: distribute (pjsip_distributor.c:348) ==21514== by 0x5E9CF2: ast_taskprocessor_execute (taskprocessor.c:769) ==21514== by 0x5F4111: threadpool_execute (threadpool.c:351) ==21514== by 0x5F562F: worker_active (threadpool.c:1075) ==21514== by 0x5F53EC: worker_start (threadpool.c:995) ==21514== by 0x6015BD: dummy_start (utils.c:1237) ==21514== by 0x6725181: start_thread (pthread_create.c:312) ==21514== by 0x74A247C: clone (clone.S:111) ==21514== Address 0x931de08 is 120 bytes inside a block of size 176 free'd ==21514== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21514== by 0x45DA3D: internal_ao2_ref (astobj2.c:461) ==21514== by 0x45DCCC: __ao2_ref (astobj2.c:516) ==21514== by 0x45DD3C: __ao2_cleanup (astobj2.c:529) ==21514== by 0x136D365A: pubsub_on_evsub_state (res_pjsip_pubsub.c:3111) ==21514== by 0x123A7727: set_state (in /usr/lib/libpjsip-simple.so.2) ==21514== by 0x123A880F: pjsip_evsub_terminate (in /usr/lib/libpjsip-simple.so.2) ==21514== by 0x136D94ED: pubsub_on_rx_subscribe_request (res_pjsip_pubsub.c:2603) ==21514== by 0x136D993F: pubsub_on_rx_request (res_pjsip_pubsub.c:3090) ==21514== by 0x127F85A6: pjsip_endpt_process_rx_data (in /usr/lib/libpjsip.so.2) ==21514== by 0x16065238: distribute (pjsip_distributor.c:348) ==21514== by 0x5E9CF2: ast_taskprocessor_execute (taskprocessor.c:769) {noformat} The invalid read in send_notify() is of sub_tree->evsub where sub_tree is passed in from pubsub_on_rx_subscribe_request() and was recently created via create_subscription_tree(). However, prior to the invalid reference of subtree, it was free'd indirectly by the call to pjsip_evsub_terminate() in the case that generate_initial_notify() fails. | ||
| Comments: | |||