Review Board 1.7.16


chan_iax2 - unprotected access of iaxs[peer->callno] potentially results in segfault

Review Request #4599 - Created April 7, 2015 and submitted

Jaco Kroon
trunk
ASTERISK-21211
Reviewers
asterisk-dev
Asterisk
chan_iax2.c, specifically in function iax2_poke_peer, a completely unprotected access to iaxs[peer->callno] is made. Specifically I had a segfault trigger on line 12230, an access to iaxs[peer->callno] - the second in a sequence, so peer->callno can definitely change between the two

It is my understanding that:

1. peer->callno can change outside of the function , thus it's probably unsafe to use the raw value as per lines 12223, 12229 and 12230. I believe this should be callno, and not peer->callno. Please correct me if I'm wrong. This can either happen by us calling iax2_destroy, or simply another thread also scheduling a POKE on the same peer.

2. All reads and writes to iaxs[X] should be protected by a lock of iaxsl[X]. Lines 12229 and 12230 violates this currently.

I suspect my crash resulted from a sequence where a POKE was in process of being scheduled, another thread then called iax2_poke_peer for the same peer, called iax2_destroy on the iaxs[] busy being set up, and boom major catastrophe.
Been running since 11.2.1 with this patch, specifically 6/3/2013 (more than two years) in multiple production environments.  Many fewer segfaults.
Review request changed
Updated (April 8, 2015, 7:28 a.m.)
  • changed from pending to submitted
Committed in revision 434313

https://reviewboard.asterisk.org/ runs on a server provided by Digium, Inc. and uses bandwidth donated to the open source Asterisk community by API Digital Communications in Huntsville, AL USA.
Please report problems with this site to asteriskteam@digium.com.