Hello

I'm able to reproduce a crash when combining Asterisk 13.10.0 with PJSIP 2.5.5. The crash seems to be related to Changeset 5373 as I'm not able to reproduce it when reversing this changeset.

Backtrace:

#0  0x00007f20d18b4ce8 in pjsip_auth_clt_deinit () from /usr/lib/libpjsip.so.2
#1  0x00007f20d18ba93e in destroy_dialog () from /usr/lib/libpjsip.so.2
#2  0x00007f20d18bb20f in pjsip_dlg_create_uac () from /usr/lib/libpjsip.so.2
#3  0x00007f20c2bd1fd6 in ast_sip_create_dialog_uac () from /usr/lib/asterisk/modules/res_pjsip.so
#4  0x00007f20be4bfc4b in ast_sip_session_create_outgoing () from /usr/lib/asterisk/modules/res_pjsip_session.so
#5  0x00007f20bbc5cecc in ?? () from /usr/lib/asterisk/modules/chan_pjsip.so
#6  0x00007f20c2bcfc80 in ?? () from /usr/lib/asterisk/modules/res_pjsip.so
#7  0x00000000005c90de in ast_taskprocessor_execute ()
#8  0x00000000005d00e0 in ?? ()
#9  0x00000000005c90de in ast_taskprocessor_execute ()
#10 0x00000000005d0998 in ?? ()
#11 0x00000000005d9faa in ?? ()
#12 0x00007f20e01ba715 in ?? () from /lib/ld-musl-x86_64.so.1
#13 0x0000000000000000 in ?? ()

Steps to reproduce:

• register two clients
• starting a call from device 1 to device 2
• taking device two offline and waiting until the registration times out
• starting a new call from device 1 to device 2

Best regards,

Pirmin

Re: [pjsip] Segfault with Asterisk 13.10.0 and PJSIP 2.5.5 related to Changeset 5373  Hello Nanang,

I think the patch https://trac.pjsip.org/repos/changeset/5401 introduced
a new memory leak in case of error in create_dialog.
The client auth session should be deinitialized.
Patch attached.

Regards,
Alexei

Thursday, July 28, 2016, 4:23:37 AM, you wrote:

Hi Pirmin,

Just fixed this in SVN trunk for ticket https://trac.pjsip.org/repos/ticket/1946.

Thank you for the report and the analysis.

BR,
nanang

On Mon, Jul 25, 2016 at 2:48 PM, Pirmin Walthert <pirmin.walthert@wwcom.ch> wrote:
Hi again

Just looked a bit depeer into the pjsip code and it seems like pjsip_dlg_create_uac in sip_dialog.c would in some cases call "goto on_error" before pjsip_auth_clt_init was called. As in this case dlg->auth_session is not initialized, pjsip_auth_clt_deinit(&dlg->auth_sess) should not be called in destroy_dialog (or pjsip_auth_clt_deinit should be changed in a way that it recognizes whether pjsip_auth_clt_init had been executed previously or not).

Best regards,

Pirmin

On 07/24/2016 02:20 PM, Pirmin Walthert wrote:
Hello

I'm able to reproduce a crash when combining Asterisk 13.10.0 with PJSIP 2.5.5. The crash seems to be related to Changeset 5373 as I'm not able to reproduce it when reversing this changeset.

Backtrace:

#0 0x00007f20d18b4ce8 in pjsip_auth_clt_deinit () from /usr/lib/libpjsip.so.2
#1 0x00007f20d18ba93e in destroy_dialog () from /usr/lib/libpjsip.so.2
#2 0x00007f20d18bb20f in pjsip_dlg_create_uac () from /usr/lib/libpjsip.so.2
#3 0x00007f20c2bd1fd6 in ast_sip_create_dialog_uac () from /usr/lib/asterisk/modules/res_pjsip.so
#4 0x00007f20be4bfc4b in ast_sip_session_create_outgoing () from /usr/lib/asterisk/modules/res_pjsip_session.so
#5 0x00007f20bbc5cecc in ?? () from /usr/lib/asterisk/modules/chan_pjsip.so
#6 0x00007f20c2bcfc80 in ?? () from /usr/lib/asterisk/modules/res_pjsip.so
#7 0x00000000005c90de in ast_taskprocessor_execute ()
#8 0x00000000005d00e0 in ?? ()
#9 0x00000000005c90de in ast_taskprocessor_execute ()
#10 0x00000000005d0998 in ?? ()
#11 0x00000000005d9faa in ?? ()
#12 0x00007f20e01ba715 in ?? () from /lib/ld-musl-x86_64.so.1
#13 0x0000000000000000 in ?? ()

Steps to reproduce:

• register two clients
• starting a call from device 1 to device 2
• taking device two offline and waiting until the registration times out
• starting a new call from device 1 to device 2

Best regards,

Pirmin

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

--
Best regards,
Alexei mailto:alex2grad@gmail.com

Re: [pjsip] Segfault with Asterisk 13.10.0 and PJSIP 2.5.5 related to Changeset 5373  Hello Ming,

You are right,
I didn't notice that auth->pool is the same as dlg->pool
and this pool is released on error.

Regards,
Alexei

Thursday, July 28, 2016, 8:38:19 PM, you wrote:

Hi Alexei,

auth_sess, of type pjsip_auth_clt_sess, is not dynamically allocated, so the check is unnecessary. If create_dialog() fails, then destroy_dialog() won't be called, so the current fix (r5401) seems to be sufficient. If it still causes any problems, please let us know and perhaps a different fix may be required.

Best regards,
Ming

On Thu, Jul 28, 2016 at 10:24 PM, Alexei Gradinari <alex2grad@gmail.com> wrote:
Hello Nanang,

I think the patch https://trac.pjsip.org/repos/changeset/5401 introduced
a new memory leak in case of error in create_dialog.
The client auth session should be deinitialized.
Patch attached.

Regards,
Alexei

Thursday, July 28, 2016, 4:23:37 AM, you wrote:

Hi Pirmin,

Just fixed this in SVN trunk for ticket https://trac.pjsip.org/repos/ticket/1946.

Thank you for the report and the analysis.

BR,
nanang

On Mon, Jul 25, 2016 at 2:48 PM, Pirmin Walthert <pirmin.walthert@wwcom.ch> wrote:
Hi again

Just looked a bit depeer into the pjsip code and it seems like pjsip_dlg_create_uac in sip_dialog.c would in some cases call "goto on_error" before pjsip_auth_clt_init was called. As in this case dlg->auth_session is not initialized, pjsip_auth_clt_deinit(&dlg->auth_sess) should not be called in destroy_dialog (or pjsip_auth_clt_deinit should be changed in a way that it recognizes whether pjsip_auth_clt_init had been executed previously or not).

Best regards,

Pirmin

On 07/24/2016 02:20 PM, Pirmin Walthert wrote:
Hello

I'm able to reproduce a crash when combining Asterisk 13.10.0 with PJSIP 2.5.5. The crash seems to be related to Changeset 5373 as I'm not able to reproduce it when reversing this changeset.

Backtrace:

#0 0x00007f20d18b4ce8 in pjsip_auth_clt_deinit () from /usr/lib/libpjsip.so.2
#1 0x00007f20d18ba93e in destroy_dialog () from /usr/lib/libpjsip.so.2
#2 0x00007f20d18bb20f in pjsip_dlg_create_uac () from /usr/lib/libpjsip.so.2
#3 0x00007f20c2bd1fd6 in ast_sip_create_dialog_uac () from /usr/lib/asterisk/modules/res_pjsip.so
#4 0x00007f20be4bfc4b in ast_sip_session_create_outgoing () from /usr/lib/asterisk/modules/res_pjsip_session.so
#5 0x00007f20bbc5cecc in ?? () from /usr/lib/asterisk/modules/chan_pjsip.so
#6 0x00007f20c2bcfc80 in ?? () from /usr/lib/asterisk/modules/res_pjsip.so
#7 0x00000000005c90de in ast_taskprocessor_execute ()
#8 0x00000000005d00e0 in ?? ()
#9 0x00000000005c90de in ast_taskprocessor_execute ()
#10 0x00000000005d0998 in ?? ()
#11 0x00000000005d9faa in ?? ()
#12 0x00007f20e01ba715 in ?? () from /lib/ld-musl-x86_64.so.1
#13 0x0000000000000000 in ?? ()

Steps to reproduce:

• register two clients
• starting a call from device 1 to device 2
• taking device two offline and waiting until the registration times out
• starting a new call from device 1 to device 2

Best regards,

Pirmin

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

--
Best regards,
Alexei mailto:alex2grad@gmail.com

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

--
Best regards,
Alexei mailto:alex2grad@gmail.com