Review Board 1.7.16

chan_iax2 - unprotected access of iaxs[peer->callno] potentially results in segfault

Review Request #4599 - Created April 7, 2015 and submitted

Jaco Kroon
chan_iax2.c, specifically in function iax2_poke_peer, a completely unprotected access to iaxs[peer->callno] is made. Specifically I had a segfault trigger on line 12230, an access to iaxs[peer->callno] - the second in a sequence, so peer->callno can definitely change between the two

It is my understanding that:

1. peer->callno can change outside of the function , thus it's probably unsafe to use the raw value as per lines 12223, 12229 and 12230. I believe this should be callno, and not peer->callno. Please correct me if I'm wrong. This can either happen by us calling iax2_destroy, or simply another thread also scheduling a POKE on the same peer.

2. All reads and writes to iaxs[X] should be protected by a lock of iaxsl[X]. Lines 12229 and 12230 violates this currently.

I suspect my crash resulted from a sequence where a POKE was in process of being scheduled, another thread then called iax2_poke_peer for the same peer, called iax2_destroy on the iaxs[] busy being set up, and boom major catastrophe.
Been running since 11.2.1 with this patch, specifically 6/3/2013 (more than two years) in multiple production environments.  Many fewer segfaults.
Review request changed
Updated (April 8, 2015, 7:28 a.m.)
  • changed from pending to submitted
Committed in revision 434313 runs on a server provided by Digium, Inc. and uses bandwidth donated to the open source Asterisk community by API Digital Communications in Huntsville, AL USA.
Please report problems with this site to