Hi, 
Guest
Pic
Sign In

pjsip@lists.pjsip.org

pjsip list

View all threads

PJSUA delete account crash

BC
Bogdan Chifor
Thu, Mar 7, 2019 9:26 PM

Hello,

I encountered a PJSUA crash when deleting an account. The scenario is the
following:

  1. Call pjsua_acc_del which in turn calls: pjsua_acc_set_registration(acc_id,
    PJ_FALSE) and then pjsua_pres_delete_acc(acc_id, 0)

  2. pjsua_acc_set_registration calls
    pjsua_pres_unpublish(&pjsua_var.acc[acc_id],
    0);

  3. pjsua_pres_delete_acc pjsua_pres_unpublish(acc, flags);

  4. Thread at Step 3 is preempted. Meanwhile the PUBLISH response (200 OK)
    arrives, for the message sent at step 2. This executes publish_cb
    (pjsua_pres.c), which destroys the account publish session and sets it to
    NULL. This is executed on another thread than Steps 1,2,3.

if (param->expiration < 1) {
/ Could happen if server "forgot" to include Expires header*

    • in the response. We will not renew, so destroy the pubc.*

  • /
    pjsip_publishc_destroy(param->pubc);

  • acc->publish_sess = NULL;*

  • }*

  1. Step 3 is resumed, but now acc->publish_sess is NULL, after it
    previously passed a check against NULL pointer. The code eventually crashes
    in pjsip_publishc_set_via_sent_by because acc->publish_sess is NULL.

Thanks you,

Bogdan.

Hello, I encountered a PJSUA crash when deleting an account. The scenario is the following: 1. Call pjsua_acc_del which in turn calls: pjsua_acc_set_registration(acc_id, PJ_FALSE) and then pjsua_pres_delete_acc(acc_id, 0) 2. pjsua_acc_set_registration calls pjsua_pres_unpublish(&pjsua_var.acc[acc_id], 0); 3. pjsua_pres_delete_acc pjsua_pres_unpublish(acc, flags); 4. Thread at Step 3 is preempted. Meanwhile the PUBLISH response (200 OK) arrives, for the message sent at step 2. This executes publish_cb (pjsua_pres.c), which destroys the account publish session and sets it to NULL. This is executed on another thread than Steps 1,2,3. *if (param->expiration < 1) {* */* Could happen if server "forgot" to include Expires header* * * in the response. We will not renew, so destroy the pubc.* * */* *pjsip_publishc_destroy(param->pubc);* * acc->publish_sess = NULL;* * }* 5. Step 3 is resumed, but now acc->publish_sess is NULL, after it previously passed a check against NULL pointer. The code eventually crashes in pjsip_publishc_set_via_sent_by because acc->publish_sess is NULL. Thanks you, Bogdan.
M
Ming
Fri, Mar 8, 2019 9:30 AM

Hi Bogdan,

We fixed the issue in ticket #2182 (https://trac.pjsip.org/repos/ticket/2182).
Thanks for the report.

Regards,
Ming

On Fri, Mar 8, 2019 at 5:27 AM Bogdan Chifor chiforbogdan86@gmail.com
wrote:

Hello,

I encountered a PJSUA crash when deleting an account. The scenario is the
following:

  1. Call pjsua_acc_del which in turn calls: pjsua_acc_set_registration(acc_id,
    PJ_FALSE) and then pjsua_pres_delete_acc(acc_id, 0)

  2. pjsua_acc_set_registration calls pjsua_pres_unpublish(&pjsua_var.acc[acc_id],
    0);

  3. pjsua_pres_delete_acc pjsua_pres_unpublish(acc, flags);

  4. Thread at Step 3 is preempted. Meanwhile the PUBLISH response (200 OK)
    arrives, for the message sent at step 2. This executes publish_cb
    (pjsua_pres.c), which destroys the account publish session and sets it to
    NULL. This is executed on another thread than Steps 1,2,3.

if (param->expiration < 1) {
/ Could happen if server "forgot" to include Expires header*

    • in the response. We will not renew, so destroy the pubc.*

  • /
    pjsip_publishc_destroy(param->pubc);

  • acc->publish_sess = NULL;*

  • }*

  1. Step 3 is resumed, but now acc->publish_sess is NULL, after it
    previously passed a check against NULL pointer. The code eventually crashes
    in pjsip_publishc_set_via_sent_by because acc->publish_sess is NULL.

Thanks you,

Bogdan.

Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

Hi Bogdan, We fixed the issue in ticket #2182 (https://trac.pjsip.org/repos/ticket/2182). Thanks for the report. Regards, Ming On Fri, Mar 8, 2019 at 5:27 AM Bogdan Chifor <chiforbogdan86@gmail.com> wrote: > Hello, > > I encountered a PJSUA crash when deleting an account. The scenario is the > following: > > 1. Call pjsua_acc_del which in turn calls: pjsua_acc_set_registration(acc_id, > PJ_FALSE) and then pjsua_pres_delete_acc(acc_id, 0) > > 2. pjsua_acc_set_registration calls pjsua_pres_unpublish(&pjsua_var.acc[acc_id], > 0); > > 3. pjsua_pres_delete_acc pjsua_pres_unpublish(acc, flags); > > 4. Thread at Step 3 is preempted. Meanwhile the PUBLISH response (200 OK) > arrives, for the message sent at step 2. This executes publish_cb > (pjsua_pres.c), which destroys the account publish session and sets it to > NULL. This is executed on another thread than Steps 1,2,3. > > *if (param->expiration < 1) {* > */* Could happen if server "forgot" to include Expires header* > * * in the response. We will not renew, so destroy the pubc.* > * */* > *pjsip_publishc_destroy(param->pubc);* > * acc->publish_sess = NULL;* > > * }* > > 5. Step 3 is resumed, but now acc->publish_sess is NULL, after it > previously passed a check against NULL pointer. The code eventually crashes > in pjsip_publishc_set_via_sent_by because acc->publish_sess is NULL. > > Thanks you, > > Bogdan. > _______________________________________________ > Visit our blog: http://blog.pjsip.org > > pjsip mailing list > pjsip@lists.pjsip.org > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org >
Empathy v1.0   2025 ©emwd.com
Documentation