----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4599/#review15086 -----------------------------------------------------------
Ship it! Ship It! - Matt Jordan On April 7, 2015, 8:28 a.m., Jaco Kroon wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviewboard.asterisk.org/r/4599/ > ----------------------------------------------------------- > > (Updated April 7, 2015, 8:28 a.m.) > > > Review request for Asterisk Developers. > > > Bugs: ASTERISK-21211 > https://issues.asterisk.org/jira/browse/ASTERISK-21211 > > > Repository: Asterisk > > > Description > ------- > > chan_iax2.c, specifically in function iax2_poke_peer, a completely > unprotected access to iaxs[peer->callno] is made. Specifically I had a > segfault trigger on line 12230, an access to iaxs[peer->callno] - the second > in a sequence, so peer->callno can definitely change between the two > > It is my understanding that: > > 1. peer->callno can change outside of the function , thus it's probably > unsafe to use the raw value as per lines 12223, 12229 and 12230. I believe > this should be callno, and not peer->callno. Please correct me if I'm wrong. > This can either happen by us calling iax2_destroy, or simply another thread > also scheduling a POKE on the same peer. > > 2. All reads and writes to iaxs[X] should be protected by a lock of iaxsl[X]. > Lines 12229 and 12230 violates this currently. > > I suspect my crash resulted from a sequence where a POKE was in process of > being scheduled, another thread then called iax2_poke_peer for the same peer, > called iax2_destroy on the iaxs[] busy being set up, and boom major > catastrophe. > > > Diffs > ----- > > http://svn.asterisk.org/svn/asterisk/trunk/channels/chan_iax2.c 434210 > > Diff: https://reviewboard.asterisk.org/r/4599/diff/ > > > Testing > ------- > > Been running since 11.2.1 with this patch, specifically 6/3/2013 (more than > two years) in multiple production environments. Many fewer segfaults. > > > Thanks, > > Jaco Kroon > >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev