[Home]

Summary:ASTERISK-28743: Asterisk is crashing if the 200 OK with SDP
Reporter:sungtae kim (pchero)Labels:security
Date Opened:2020-02-14 02:42:29.000-0600Date Closed:2020-03-25 07:31:47
Priority:MajorRegression?
Status:Closed/CompleteComponents:Resources/res_pjsip
Versions:16.8.0 17.2.0 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:When the Asterisk receives 200 OK with SDP, the pjsip module fires a couple of callback functions.

But in some conditions, this makes a race condition and causing the crash eventually.

For example,

* If the outgoing call connected to the existed Bridge, the Asterisk sends a Re-Invite after receiving 200 OK.
* But if the received SDP was not acceptable, the Asterisk proceeding a hangup procedure.
* this 2 actions sending reinvite and doing hangup are making a race condition in the ast_sip_session_refresh().

{noformat}
(gdb) where
#0  0x00007f8f187f10c2 in pj_strdup (pool=0x7f8f04068e80, dst=0x7f8edc219398, src=0x0) at ../include/pj/string_i.h:40
#1  0x00007f8f1879ae84 in pjmedia_sdp_neg_modify_local_offer2 (pool=0x7f8f04068e80, neg=0x7f8f04571270, flags=1, local=0x7f8edc0a8af8) at ../src/pjmedia/sdp_neg.c:336
#2  0x00007f8f187178b0 in pjsip_inv_reinvite (inv=0x7f8f04110638, new_contact=0x0, new_offer=0x7f8edc0a8af8, p_tdata=0x7f8eaba18ba0) at ../src/pjsip-ua/sip_inv.c:3004
#3  0x00007f8ec6fcbdb1 in ast_sip_session_refresh (session=0x7f8f04097cd0, on_request_creation=0x0, on_sdp_creation=0x0, on_response=0x7f8eafdc6786 <on_topology_change_response>,
   method=AST_SIP_SESSION_REFRESH_METHOD_INVITE, generate_new_sdp=1, media_state=0x7f8ee801aef0) at res_pjsip_session.c:1768
#4  0x00007f8ec6fca580 in send_delayed_request (session=0x7f8f04097cd0, delay=0x7f8f04ee6020) at res_pjsip_session.c:1256
#5  0x00007f8ec6fca8e2 in invite_terminated (vsession=0x7f8f04097cd0) at res_pjsip_session.c:1355
#6  0x0000557ce3889d5a in ast_taskprocessor_execute (tps=0x7f8f042299a0) at taskprocessor.c:1237
#7  0x0000557ce3893954 in execute_tasks (data=0x7f8f042299a0) at threadpool.c:1354
#8  0x0000557ce3889d5a in ast_taskprocessor_execute (tps=0x557ce6683d30) at taskprocessor.c:1237
#9  0x0000557ce3891507 in threadpool_execute (pool=0x557ce6683a70) at threadpool.c:367
#10 0x0000557ce3893186 in worker_active (worker=0x7f8efc0014a0) at threadpool.c:1137
#11 0x0000557ce3892ef6 in worker_start (arg=0x7f8efc0014a0) at threadpool.c:1056
#12 0x0000557ce389c896 in dummy_start (data=0x7f8efc001f90) at utils.c:1249
#13 0x00007f8f16e834a4 in start_thread (arg=0x7f8eaba19700) at pthread_create.c:456
#14 0x00007f8f15744d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97


(gdb) frame 2
#2  0x00007f8f187178b0 in pjsip_inv_reinvite (inv=0x7f8f04110638, new_contact=0x0, new_offer=0x7f8edc0a8af8, p_tdata=0x7f8eaba18ba0) at ../src/pjsip-ua/sip_inv.c:3004
3004            status = pjmedia_sdp_neg_modify_local_offer2(


(gdb) list 2980
2975
2976        } else switch (pjmedia_sdp_neg_get_state(inv->neg)) {
2977
2978            case PJMEDIA_SDP_NEG_STATE_NULL:
2979            pj_assert(!"Unexpected SDP neg state NULL");
2980            status = PJ_EBUG;
2981            goto on_return;
2982
2983            case PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER:
2984            PJ_LOG(4,(inv->obj_name,
2985                  "pjsip_inv_reinvite: already have an offer, new "
2986                  "offer is ignored"));
2987            break;
2988
2989            case PJMEDIA_SDP_NEG_STATE_REMOTE_OFFER:
2990            status = pjmedia_sdp_neg_set_local_answer(inv->pool_prov,
2991                                  inv->neg,
2992                                  new_offer);
2993            if (status != PJ_SUCCESS)
2994                goto on_return;
2995            break;
2996
2997            case PJMEDIA_SDP_NEG_STATE_WAIT_NEGO:
2998            PJ_LOG(4,(inv->obj_name,
2999                  "pjsip_inv_reinvite: SDP in WAIT_NEGO state, new "
3000                  "offer is ignored"));
3001            break;
3002
3003            case PJMEDIA_SDP_NEG_STATE_DONE:
3004            status = pjmedia_sdp_neg_modify_local_offer2(
3005                                 inv->pool_prov, inv->neg,
3006                                 inv->sdp_neg_flags, new_offer);
3007            if (status != PJ_SUCCESS)
3008                goto on_return;
3009            break;
3010        }
3011        }


(gdb) p inv->neg->state
$30 = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER
{noformat}
Comments:By: Asterisk Team (asteriskteam) 2020-02-14 02:42:52.560-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

By: Friendly Automation (friendly-automation) 2020-03-25 07:31:48.765-0500

Change 13900 merged by Joshua Colp:
res_pjsip_session: Fixed wrong session termination

[https://gerrit.asterisk.org/c/asterisk/+/13900|https://gerrit.asterisk.org/c/asterisk/+/13900]

By: Friendly Automation (friendly-automation) 2020-03-25 07:34:40.577-0500

Change 13806 merged by Joshua Colp:
res_pjsip_session: Fixed wrong session termination

[https://gerrit.asterisk.org/c/asterisk/+/13806|https://gerrit.asterisk.org/c/asterisk/+/13806]

By: Friendly Automation (friendly-automation) 2020-03-25 07:56:19.531-0500

Change 13898 merged by Joshua Colp:
res_pjsip_session: Fixed wrong session termination

[https://gerrit.asterisk.org/c/asterisk/+/13898|https://gerrit.asterisk.org/c/asterisk/+/13898]

By: Friendly Automation (friendly-automation) 2020-03-25 07:56:29.719-0500

Change 13899 merged by Joshua Colp:
res_pjsip_session: Fixed wrong session termination

[https://gerrit.asterisk.org/c/asterisk/+/13899|https://gerrit.asterisk.org/c/asterisk/+/13899]