Custom Query (2195 matches)
Results (1501 - 1600 of 2195)
Ticket | Summary | Owner | Type | Priority | Milestone | Component |
---|---|---|---|---|---|---|
#763 | Possibility of infinite loop in jitter buffer (thanks Michael Broughton for the report). | nanang | defect | normal | release-1.0.3 | pjmedia |
Description |
This is a duplicate of ticket #762 for 1.0 branch. |
|||||
#841 | Possibility of naming collisions for codecs using ITU implementation (thanks Johan Lantz for the report). | nanang | enhancement | normal | release-1.3 | pjmedia |
Description |
Sample case:
|
|||||
#328 | Possible alignment error in DNS encoding | bennylp | defect | normal | release-0.8.0 | pjlib-util |
Description |
When creating DNS query packet, the pj_dns_make_query() function typecasts the packet buffer into pj_dns_hdr struct and write 16bit values to it. This will raise alignment error when the buffer is not 16bit aligned. Also changed various pj_ntohs() to pj_htons() and char* to pj_uint8_t* for packet buffer, for better semantics. |
|||||
#1844 | Possible assertion in ICE session when remote has less ICE component | bennylp | defect | normal | release-2.4.5 | pjnath |
Description |
ICE component count may decrease, e.g: remote doesn't have RTCP component while we are initialized with RTCP, at some point we will destroy the RTCP component, but somehow it may still receive STUN packet which will raise assertion in find_comp() function: pj_assert(comp_id > 0 && comp_id <= ice->comp_cnt); The corresponding test scenario is tests/pjsua/scripts-call/305_ice_comp_1_2.py. |
|||||
#1654 | Possible broken SDP negotiator state after previous re-INVITE is rejected | bennylp | defect | normal | release-2.2 | pjsip |
Description |
Scenario:
|
|||||
#1700 | Possible buffer overflow in ICE session | bennylp | defect | normal | release-2.2 | pjnath |
Description |
Caused by bad usage of PJ_ARRAY_SIZE() on pointer (or array as function param). Fortunately this should not affect systems that store pointer in 32 bit space or higher. |
|||||
#2166 | Possible buffer overread if RTCP packet length is invalid | nanang | defect | major | release-2.9 | pjmedia |
Description |
If RTCP packet length is invalid (contains a large number), there is a potential buffer overread, which may lead to crash when parsing the packet. The problem is caused because when parsing, we pass the invalid length as the packet size in pjmedia_rtcp_rx_rtcp() (rtcp.c), for example: len = (pj_ntohs((pj_uint16_t)common->length)+1) * 4; .... parse_rtcp_report(sess, p, len); |
|||||
#1859 | Possible crash due to transaction premature destroy while message send operation is on progress | bennylp | defect | normal | release-2.4.5 | pjsip |
Description |
There is no protection for premature destroy of a transaction while a sending operation is on progress (the message is delivered, but the sent notification is delayed). This is similar to ticket #1646 problem no 2, just this case may occur when sending operation doesn't have transport yet and needs to resolve the server first. Also, it is unlikely to happen when the SIP endpoint has only one worker thread. Scenario:
Notes to reproduce/simulate:
Thanks to Mark Michelson for the report. |
|||||
#1552 | Possible crash if media transport stop() is called on ICE transport while no ICE is running (thanks Iliya Prince for the fix) | bennylp | defect | normal | release-2.1 | pjnath |
Description |
This is because pj_ice_strans_stop_ice() is called with NULL argument. Stack trace: 0009efa8 pj_ice_strans_stop_ice src/pjnath/ice_strans.c:1147 00090e5e set_no_ice src/pjmedia/transport_ice.c:288 00090ebc transport_media_stop src/pjmedia/transport_ice.c:1485 |
|||||
#1164 | Possible crash in PUBLISH session if network connectivity is lost between two requests (thanks Nikolay Popok for the report) | bennylp | defect | normal | release-1.8.10 | pjsip |
Description |
Crash in event publication framework (publishc.c), if network connectivity is lost between two consecutive PUBLISH requests (such as when the PUBLISH request is retried for authentication, or when second PUBLISH request was in the queue (because another one is in progress when application requests the second publication)). Note that this does not happen when there is only one PUBLISH request to be sent. To reproduce:
|
|||||
#1310 | Possible crash in registration callback after deleting account and restarting pjsua | bennylp | defect | normal | release-1.12 | pjsua-lib |
Description |
Validation of account registration object in the registration callback is not protected by pjsua lock. This may cause race condition that lead to crash. Detail scenario:
|
|||||
#1791 | Possible crash when trying to cancel sdp negotiation upon receiving UPDATE response | bennylp | defect | normal | release-2.4 | pjsip |
Description |
There is an application requirement for connected line support. It is the ability to send an INVITE or UPDATE request which updates caller-id/connected-id information. A GUI developer actually uses it to update the display to show what your external caller-id is when placing outgoing calls. The normal scenario: 1. Caller send INVITE 2. Callee send 180 INVTE Resp 3. Caller send UPDATE (no SDP) 4. Callee send 200 UPDATE Resp At the moment, the stack will try to cancel the offer and lead to a crash. This ticket will cancel the offer upon receiving the UPDATE response, only when the UPDATE request include SDP offer. Thanks to Joshua Colp for the report. |
|||||
#2007 | Possible crash when using session timer due to the early release of dialog pool | bennylp | defect | normal | release-2.7 | pjsip |
Description |
There is a possible issue in the sip_timer.c::timer_cb(), more specifically, in the last log call made in that method. This since the dialog that corresponds to the pjsip_inv_session object is unlocked, and the dialog may be destroyed in the consecutive call to pjsip_inv_send_msg(). Since the invite session object’s memory pool simply points to the dialog’s memory pool (and the invite session object itself is allocated from the same pool), this memory may thereby already have been freed once the log call is executed. The issue was encountered when testing the session expiration timeout: after a call has been established from A to B, B’s network connection is cut, and the session expiration timeout is awaited. Once the timer timeouts, the case above seems to occur. Thanks to Christoffer Lauri and Fredrik Hansson for the report. |
|||||
#346 | Possible deadlock in event subscription framework when subscribe is followed immediately with unsubscribe | bennylp | defect | normal | release-0.8.0 | pjsip |
#351 | Possible deadlock in pjsua-api presence subscription (thanks Paul Levin) | bennylp | defect | normal | release-0.8.0 | pjsua-lib |
Description |
The locking order of PJSUA_LOCK() and dialog's mutex in presence framework in PJSUA-API is not uniform, and this may cause deadlock. |
|||||
#1578 | Possible deadlock when call is adding new media with ICE and STUN enabled | bennylp | defect | normal | release-2.1 | pjsua-lib |
Description |
Deadlock may happen if call is adding new media (e.g. adding video) with ICE enabled and more than one worker threads are used. The flow is below:
Thanks Itay Bianco for the report!
|
|||||
#701 | Possible heap corruption in pjmedia/pasound.c callback's thread (thanks Paulo Sousa for the detail report). | nanang | defect | normal | release-1.1 | pjmedia |
Description |
Here is quoted report:
|
|||||
#702 | Possible heap corruption in pjmedia/pasound.c callback's thread (thanks Paulo Sousa for the detail report). | nanang | defect | normal | release-1.0.2 | pjmedia |
Description |
This is duplication of ticket #701 for version 1.0. See ticket #701 for more info. |
|||||
#2118 | Possible insufficient stream buffer size when using Opus | nanang | defect | normal | release-2.8 | pjmedia |
Description |
Currently stream buffer is calculated from specified codec maximum bitrate with 200 ms frame duration. Unfortunately, for some codecs that supports variable bitrate (VBR) and variable frame length such as Opus, it can be too small as the frame size may become very large exceeding the precalculated stream buffer size, which may lead to buffer overflow issues. Thanks Marcus Froeschl for the report and the analysis. |
|||||
#1232 | Possible memory corruptions caused by pjsua_acc_modify() (thanks Viktor Krikun for the report) | bennylp | defect | normal | release-1.10 | pjsua-lib |
Description |
The pjsua_acc_modify() function sets acc->display, acc->user_part, and acc->srv_domain directly from the supplied arguments without cloning them first, which cause the value to be invalid if the original arguments are destroyed. Various symptoms of this bug include:
|
|||||
#1532 | Possible optimization in conference bridge (thanks Michael Derfler for the patch) | nanang | enhancement | normal | release-2.0.1 | pjmedia |
Description |
The optimization proposed is in the conference bridge get_frame() function, brief desc:
Original report can be found here. |
|||||
#1593 | Possible wrap around in caching pool capacity value | bennylp | defect | normal | release-2.1 | pjlib |
Description |
Reported that there is possibility of caching pool capacity, which is represented with unsigned value, getting 'below zero'/wrapped around on releasing the pools after memory allocations exceeds the current configured cache limit via multiple pools. Thanks Joshua Colp for the report and the patch. |
|||||
#1158 | Possible wrong multiplexing of STUN traffic inside TURN Data Indication | bennylp | defect | minor | release-1.8.10 | pjnath |
Description |
Scenario:
|
|||||
#1012 | Potential buffer overflow in Unicode string conversion (thanks Orville Pike for the report) | bennylp | defect | normal | release-1.5.5 | pjlib |
Description |
In unicode_win32.c the pj_ansi_to_unicode function uses MultiByteToWideChar to do character conversion which could result in a buffer overflow. PJ_DEF(wchar_t*) pj_ansi_to_unicode(const char *s, pj_size_t len, wchar_t *buf, pj_size_t buf_count) { PJ_ASSERT_RETURN(s && buf, NULL); len = MultiByteToWideChar(CP_ACP, 0, s, len, buf, buf_count); buf[len]=0; return buf; } Under most circumstances the above won't have a problem however if the value in len and buf_count are the same then doing "buf[len]=0" is going to overflow the buf buffer. The same issue also exists in pj_unicode_to_ansi(), and in Symbian port. |
|||||
#2264 | Potential deadlock between pjsua lock and sip transport's lock | ming | defect | normal | release-2.10 | pjsip |
Description |
The issue was found using Helgrind. Although different, there's a degree of similarity with ticket #2260 and #1247, which is that holding a lock before calling pjsip_regc_send() may potentially lead to deadlock, since any send operation will later acquire transport's lock. While during incoming message, the transport's lock will be held when calling the callbacks of the upper layer to process the message, which may then also need to hold the (upper layer's) lock, thus violating the lock ordering and potentially cause a deadlock between rx and tx. In this case, the two locks involved are pjsua lock and sip transport's lock. PJSUA_LOCK()->pjsip_regc_send()->acquire transport's lock ioqueue_dispatch_read()->acquire transport's lock->regc_tsx_callback()->PJSUA_LOCK() Below is the stack trace reported by Helgrind: Thread #4: lock order "0x645E888 before 0x64E3B88" violated Observed (incorrect) order is: acquisition of lock at 0x64E3B88 by 0x5A154D: pj_grp_lock_tryacquire (lock.c:483) by 0x5960CF: pj_ioqueue_trylock_key (ioqueue_common_abs.c:1366) by 0x594CC9: ioqueue_dispatch_read_event (ioqueue_common_abs.c:439) by 0x597314: pj_ioqueue_poll (ioqueue_select.c:1069) by 0x479D40: pjsip_endpt_handle_events2 (sip_endpoint.c:745) by 0x433808: pjsua_handle_events (pjsua_core.c:2156) followed by a later acquisition of lock at 0x645E888 by 0x418DD9: PJSUA_LOCK (pjsua_internal.h:593) by 0x41F02F: regc_tsx_cb (pjsua_acc.c:2221) by 0x4592EA: regc_tsx_callback (sip_reg.c:1104) by 0x49A71C: mod_util_on_tsx_state (sip_util_statefull.c:81) by 0x496816: tsx_set_state (sip_transaction.c:1272) by 0x499EBC: tsx_on_state_proceeding_uac (sip_transaction.c:3115) by 0x4991D4: tsx_on_state_calling (sip_transaction.c:2599) by 0x4978F7: pjsip_tsx_recv_msg (sip_transaction.c:1832) by 0x495CA5: mod_tsx_layer_on_rx_response (sip_transaction.c:893) by 0x47A11C: pjsip_endpt_process_rx_data (sip_endpoint.c:938) Required order was established by acquisition of lock at 0x645E888 by 0x418DD9: PJSUA_LOCK (pjsua_internal.h:593) by 0x420188: pjsua_acc_set_registration (pjsua_acc.c:2689) followed by a later acquisition of lock at 0x64E3B88 by 0x5A1533: pj_grp_lock_acquire (lock.c:478) by 0x596092: pj_ioqueue_lock_key (ioqueue_common_abs.c:1358) by 0x595D35: pj_ioqueue_connect (ioqueue_common_abs.c:1220) by 0x59D915: pj_activesock_start_connect (activesock.c:936) by 0x489832: lis_create_transport (sip_transport_tcp.c:1053) by 0x484CEB: pjsip_tpmgr_acquire_transport2 (sip_transport.c:2457) by 0x47A7CD: pjsip_endpt_acquire_transport2 (sip_endpoint.c:1246) by 0x47D3D0: stateless_send_transport_cb (sip_util.c:1181) Lock at 0x645E888 was first observed by 0x598F8C: pj_mutex_create_recursive (os_core_unix.c:1258) by 0x4310E7: pjsua_create (pjsua_core.c:950) Lock at 0x64E3B88 was first observed by 0x5A1435: pj_grp_lock_create (lock.c:438) by 0x5A14D2: pj_grp_lock_create_w_handler (lock.c:463) by 0x4889EC: tcp_create (sip_transport_tcp.c:684) by 0x4897D9: lis_create_transport (sip_transport_tcp.c:1045) by 0x484CEB: pjsip_tpmgr_acquire_transport2 (sip_transport.c:2457) |
|||||
#2260 | Potential deadlock between sip_transaction and sip_reg | ming | defect | normal | release-2.10 | applications |
Description |
A potential deadlock between sip_transaction and sip_reg. This issue is found using Helgrind. Although not exactly similar, but this is related to ticket #1247. In that ticket, the fix in was to release the lock before calling pjsip_endpt_send_request(), which worked because as the stack trace showed, the flow was: regc_refresh_timer_cb(), which doesn't lock->pjsip_regc_send()->pjsip_endpt_send_request(). But if the lock is held more than once, then deadlock can still occur (for example: regc_tsx_callback(), which holds regc lock->pjsip_regc_send()->pjsip_endpt_send_request()). For complete stack trace reported by Helgrind, refer to below: Thread #4: lock order "0x64DD5A8 before 0x64E80C8" violated Observed (incorrect) order is: acquisition of lock at 0x64E80C8 by 0x5A1533: pj_grp_lock_acquire (lock.c:478) by 0x4978DC: pjsip_tsx_recv_msg (sip_transaction.c:1831) by 0x495CA5: mod_tsx_layer_on_rx_response (sip_transaction.c:893) by 0x47A11C: pjsip_endpt_process_rx_data (sip_endpoint.c:938) by 0x47A406: endpt_on_rx_msg (sip_endpoint.c:1080) by 0x484620: pjsip_tpmgr_receive_packet (sip_transport.c:2182) by 0x48A3F8: on_data_read (sip_transport_tcp.c:1430) by 0x59CD3C: ioqueue_on_read_complete (activesock.c:504) followed by a later acquisition of lock at 0x64DD5A8 by 0x5A0D31: pj_lock_acquire (lock.c:180) by 0x459127: regc_tsx_callback (sip_reg.c:1071) by 0x49A71C: mod_util_on_tsx_state (sip_util_statefull.c:81) by 0x496816: tsx_set_state (sip_transaction.c:1272) by 0x499D58: tsx_on_state_proceeding_uac (sip_transaction.c:3016) by 0x4991D4: tsx_on_state_calling (sip_transaction.c:2599) by 0x4978F7: pjsip_tsx_recv_msg (sip_transaction.c:1832) by 0x495CA5: mod_tsx_layer_on_rx_response (sip_transaction.c:893) by 0x47A11C: pjsip_endpt_process_rx_data (sip_endpoint.c:938) by 0x47A406: endpt_on_rx_msg (sip_endpoint.c:1080) Required order was established by acquisition of lock at 0x64DD5A8 by 0x5A0D31: pj_lock_acquire (lock.c:180) by 0x4592FD: regc_tsx_callback (sip_reg.c:1105) by 0x49A71C: mod_util_on_tsx_state (sip_util_statefull.c:81) by 0x496816: tsx_set_state (sip_transaction.c:1272) by 0x499EBC: tsx_on_state_proceeding_uac (sip_transaction.c:3115) by 0x4991D4: tsx_on_state_calling (sip_transaction.c:2599) by 0x4978F7: pjsip_tsx_recv_msg (sip_transaction.c:1832) by 0x495CA5: mod_tsx_layer_on_rx_response (sip_transaction.c:893) by 0x47A11C: pjsip_endpt_process_rx_data (sip_endpoint.c:938) by 0x47A406: endpt_on_rx_msg (sip_endpoint.c:1080) followed by a later acquisition of lock at 0x64E80C8 by 0x5A1533: pj_grp_lock_acquire (lock.c:478) by 0x497314: pjsip_tsx_set_transport (sip_transaction.c:1636) by 0x49A815: pjsip_endpt_send_request (sip_util_statefull.c:109) by 0x459D65: pjsip_regc_send (sip_reg.c:1434) by 0x459636: regc_tsx_callback (sip_reg.c:1193) by 0x49A71C: mod_util_on_tsx_state (sip_util_statefull.c:81) by 0x496816: tsx_set_state (sip_transaction.c:1272) by 0x499EBC: tsx_on_state_proceeding_uac (sip_transaction.c:3115) Lock at 0x64DD5A8 was first observed by 0x5A0BA7: pj_lock_create_recursive_mutex (lock.c:96) by 0x456F4E: pjsip_regc_create (sip_reg.c:140) Lock at 0x64E80C8 was first observed by 0x5A14D2: pj_grp_lock_create_w_handler (lock.c:463) by 0x4960FF: tsx_create (sip_transaction.c:1035) by 0x496ADD: pjsip_tsx_create_uac2 (sip_transaction.c:1365) by 0x496975: pjsip_tsx_create_uac (sip_transaction.c:1329) by 0x49A7DE: pjsip_endpt_send_request (sip_util_statefull.c:103) by 0x459D65: pjsip_regc_send (sip_reg.c:1434) |
|||||
#137 | Potential memory overwrite in pjmedia session.c (thanks David Clark) | bennylp | defect | major | release-0.5.10.2 | pjmedia |
Description |
session.c line 519: /* Copy stream info (this simple memcpy may break sometime) */ pj_memcpy(session->stream_info, si->stream_info, si->stream_cnt * sizeof(pjmedia_session_info)); while it should be: session.c line 519 /* Copy stream info (this simple memcpy may break sometime) */ pj_memcpy(session->stream_info, si->stream_info, si->stream_cnt * sizeof(pjmedia_stream_info)); Thanks David Clark for reporting! |
|||||
#138 | Potential memory overwrite in pjmedia session.c (thanks David Clark) | bennylp | defect | major | release-0.7.0-rc1 | pjmedia |
Description |
This is duplicate of ticket #137 for main trunk. |
|||||
#2231 | Potential premature buffer reuse in UDP media transport | ming | defect | normal | release-2.10 | pjmedia |
Description |
Currently there's no check if the number of pending writes in UDP media transport is greater than MAX_PENDING_WRITE. Hence, when it occurs, the send buffers will simply be overwritten without any log/warning. This can potentially introduce sound issues due to the missing&duplicate packets. |
|||||
#384 | Prefer to use Direct Sound as the sound device backend on Windows | bennylp | enhancement | normal | release-0.8.0 | pjmedia |
Description |
DirectSound has much better latency than WMME, so PJMEDIA should use this by default. |
|||||
#1962 | Premature STUN socket destruction when there's an error during STUN server resolution | bennylp | defect | normal | release-2.6 | pjsua-lib |
Description |
Sample stack trace: (1) resolve_stun_entry() -> pj_stun_sock_start() -> get_mapped_addr() -> sess_fail() -> test_stun_on_status() -> (2) resolve_stun_entry() The problem is caused if get_mapped_addr() fail, then test_stun_on_status() will destroy the (failed) STUN socket, and calls resolve_stun_entry no (2), which will then try another STUN candidate. However, after returning, the resolve_stun_entry no (1) will destroy the STUN socket again, incorrectly, for the new candidate being tried. Thanks to Dusan Klinec for the report and the patch. |
|||||
#1647 | Premature termination of REFER (call transfer) subscription | bennylp | defect | normal | release-2.2 | pjsip |
Description |
Scenario:
After investigation, the new subscription for the second REFER is actually created, while the old one has not been destroyed, but the Event Subscription module somehow sees the old and terminated subscription (instead of the new one) for the second REFER. |
|||||
#1809 | Premature transaction destroy caused by DNS SRV resolver callback being called twice | bennylp | defect | normal | release-2.4 | pjlib-util |
Description |
Scenario:
After investigation, we found a bug in DNS SRV resolver, there is possibility of the application callback being called twice, this is quite fatal as when the application is transaction module, a transaction may be destroyed prematurely (as transaction ref counter gets decremented twice while it should be once only!). Thanks Andrey Kovalenko for the report. |
|||||
#938 | Presence PIDF document may be rejected by presence servers that implement strict XML checking (thanks Johan Lantz for the fix) | bennylp | defect | normal | release-1.4 | pjsip |
Description |
PJSIP's generated PIDF presence document may be rejected by presence servers that implement strict XML checking. This is due to the 'id' attribute of <tuple> element does not strictly comply with XML 'xs:ID' specification, which prohibits it from having number as the start of the character. (Such presence server is Ericsson presence server) Thanks Johan Lantz for the fix! |
|||||
#582 | Presence extended status is not sent in initial NOTIFY request (thanks Joseph Maiquez for the report) | bennylp | defect | normal | release-1.0-rc1 | pjsua-lib |
Description |
This would cause the subscriber to not get the extended/RPID status in the initial notification. |
|||||
#880 | Pressing call hold twice in pjsua will cause call to be unheld | bennylp | defect | normal | release-1.3 | pjsua-lib |
Description |
The corresponding ticket for 1.0 branch is #905 |
|||||
#905 | Pressing call hold twice in pjsua will cause call to be unheld | bennylp | defect | normal | release-1.0.3 | pjsua-lib |
Description |
This is duplicate of ticket #880 for 1.0 branch |
|||||
#1318 | Prevent PJSIP_INV_STATE_CALLING from being reported more than once (thanks Sam Yasin for the report) | bennylp | defect | normal | release-1.12 | pjsip |
Description |
The PJSIP_INV_STATE_CALLING state will be reported more than once if the INVITE is challenged with authentication. |
|||||
#2244 | Prevent continuous memory allocation when getting raw certificate on TLS | riza | defect | normal | release-2.10 | pjlib |
Description |
#2204 added the capability to add remote certificate on OpenSSL. However the change introduce new bug which allow memory being allocated continuously without being released when TLS transport is used. Thanks to George Joseph for the report. |
|||||
#2101 | Prevent crash due to access to an already destroyed atomic object | bennylp | enhancement | normal | release-2.8 | pjlib |
Description |
The PJLIB mutex functions all check for NULL mutexes but pj_atomic_destroy() is not setting its mutex to NULL after it destroyed it so any attempts to use the atomic again would cause a crash. This ticket does not address why an attempt was made to use the atomic again but it does prevent the crash. Thank you George Joseph for the patch. |
|||||
#2182 | Prevent crash in unpublishing presence when deleting account | ming | defect | normal | release-2.9 | pjsua-lib |
Description |
|
|||||
#2013 | Prevent crash when timer refresh with SRTP is interrupted by a re-INVITE | nanang | defect | normal | release-2.7 | pjmedia |
Description |
Scenario: This is the situation: 1. User places a call 2. The call is connected 3. After 2.5 minutes PJSIP sends re-INVITE (session refresh) [twice] 4. partner terminal cannot send RTP because partner terminal's network connection is lost 5. partner terminal's network connection recovers and partner sends re-INVITE 6. After 2.5 minutes PJSIP sends re-INVITE (session refresh) 7. PJSIP receives 200 OK for re-INVITE (session refresh) but there is an "unsupported crypto suite" error 8. The call continues without any media (MEDIA_DIR_NONE) 9. After 2.5 minutes the crash happens (around the time of the next session refresh) The callstack: pjsua-i386-Win32-vc14-Debug.exe!pjmedia_transport_media_start(pjmedia_transport * tp, pj_pool_t * tmp_pool, const pjmedia_sdp_session * sdp_local, const pjmedia_sdp_session * sdp_remote, unsigned int media_index) Line 903 C pjsua-i386-Win32-vc14-Debug.exe!pjsua_media_channel_update(int call_id, const pjmedia_sdp_session * local_sdp, const pjmedia_sdp_session * remote_sdp) Line 3057 C pjsua-i386-Win32-vc14-Debug.exe!pjsua_call_on_media_update(pjsip_inv_session * inv, int status) Line 3996 C pjsua-i386-Win32-vc14-Debug.exe!inv_negotiate_sdp(pjsip_inv_session * inv) Line 1942 C pjsua-i386-Win32-vc14-Debug.exe!inv_check_sdp_in_incoming_msg(pjsip_inv_session * inv, pjsip_transaction * tsx, pjsip_rx_data * rdata) Line 2153 C pjsua-i386-Win32-vc14-Debug.exe!inv_on_state_confirmed(pjsip_inv_session * inv, pjsip_event * e) Line 5098 C Because of this: 22:36:03.114 pjsua_media.c ......pjmedia_transport_media_start() failed for call_id 0 media 0: Unsupported SRTP crypto-suite (PJMEDIA_SRTP_ENOTSUPCRYPTO) call_med->tp will be destroyed, resulting the next refresh when calling pjmedia_transport_media_start() will pass NULL and crash. Thanks to Marcus Froeschl for the report. |
|||||
#2104 | Prevent double free on Failed STUN resolution | bennylp | defect | normal | release-2.8 | pjsua-lib |
Description |
Failed STUN resolution when starting the library might lead to a crash caused by double free. Scenario:
Internal flow:
Thank you to Denis Poltorak for the report. |
|||||
#2012 | Prevent memory leak when rejecting a call from on_incoming_call() callback | bennylp | defect | normal | release-2.7 | pjsua-lib |
Description |
The call->incoming_data() will get reset (set to NULL) on reset_call(), which lead to memory leak since it's not properly released. One example of this case is when rejecting a call from on_incoming_call() callback. Thanks to Alexandre Beaulieu for the report. |
|||||
#2000 | Prevent overflow on pj_generate_unique_string() for android | bennylp | defect | normal | release-2.7 | pjlib |
Description |
There is a bug in pj_generate_unique_string() from guid_android.c which lead to overflow/leak with this error: JNI ERROR (app bug): local reference table overflow (max=512) local reference table dump: Last 10 entries (of 512): 511: 0x12ec2f80 java.util.UUID 510: 0x6fc02f38 java.lang.Class<java.util.UUID> 509: 0x130a7e20 java.lang.String "4cb26510-cdfb-4a... (36 chars) 508: 0x12ec2f40 java.util.UUID 507: 0x6fc02f38 java.lang.Class<java.util.UUID> 506: 0x12fcdd00 java.lang.String "22383c0c-14e7-46... (36 chars) 505: 0x12ec2e80 java.util.UUID 504: 0x6fc02f38 java.lang.Class<java.util.UUID> 503: 0x12fcd880 java.lang.String "9f6a1bfc-06b4-46... (36 chars) 502: 0x12ec2e40 java.util.UUID Summary: 170 of java.lang.Class (1 unique instances) 169 of java.lang.String (169 unique instances) 1 of byte[] (533 elements) 1 of byte[] (753 elements) 1 of byte[] (1217 elements) 170 of java.util.UUID (170 unique instances) This error will be raised after multiple calls to pj_generate_unique_string(). Thanks to Esed Alihodzic for the report and patch. |
|||||
#2060 | Prevent releasing unacquired lock in SIP dialog | bennylp | defect | normal | release-2.8 | pjsip |
Description |
In sip_dialog.c create_uas_dialog() there are several error conditions (such as PJSIP_EINVALIDURI and PJSIP_SC_BAD_REQUEST) which cause the flow to go to on_error BEFORE dialog lock gets a chance to be incremented. Thanks to Fredrik Hansson for the report and the patch. |
|||||
#2261 | Prevent unnecessary locking when adding group lock handler | ming | enhancement | normal | release-2.10 | pjsip |
Description |
pj_grp_lock_add_handler() will lock the group lock first, which has a side effect of potentially establishing an incorrect lock ordering when using thread detector tool such as Helgrind. We should use pj_grp_lock_create_w_handler() instead that adds the handler during creation and doesn't require acquiring the lock. Also see ticket #1821 |
|||||
#2070 | Print IPv6 addresses with brackets in the log | bennylp | enhancement | normal | release-2.8 | common |
Description |
Currently IPv6 addresses are printed as is, i.e. without brackets, in various places such as: pjsip/src/pjsua-lib/pjsua_core.c:logging_on_tx_msg, and pjsip/src/pjsua-lib/pjsua_core.c:logging_on_rx_msg pjsip/src/pjsua-lib/pjsua_acc.c:acc_check_nat_addr with "IP address change detected for account" pjsip/src/pjsua-lib/pjsua_acc.c:update_keep_alive with "Keep-alive timer started for acc" pjsip/src/pjsip/sip_transport_tcp.c:on_connect_complete pjsip/src/pjsip/sip_transport_tls.c:on_connect_complete with "transport %.*s:%d is connected to" For clarity, it is desirable for these addresses to be printed with the brackets, especially if there's a port number behind it. In the SIP message itself, we have implemented this by adding beginquote and endquote, such as in pjsua_acc.c: acc_check_nat_addr(), pjsua_acc_create_uac_contact(), pjsua_acc_create_uas_contact() So we probably need to use pj_sockaddr_print() or create a helper new pjlib API instead of copy-pasting it all over the place. |
|||||
#606 | Problem in Symbian build: 'null_audio.lib not found'. | nanang | defect | normal | release-1.0-rc2 | pjmedia |
Description |
For emulator/WINSCW build settings, there seems an inconsistency between application projects (e.g: symbian_ua.mmp) and bld.inf regarding sound device lib. The bld.inf by default doesn't build null audio implementation, while the app's mmp by default uses null audio. |
|||||
#1777 | Problem in audio device list refresh after unregistering an audio device factory | nanang | defect | normal | release-2.3 | pjmedia-audiodev |
Description |
Reported that pjmedia_aud_dev_refresh() will not work properly after unregistering an audio device factory, i.e: via pjmedia_aud_unregister_factory(). Also there could be some problems with internal function lookup_dev() as drv->dev_idx and drv->rec_dev_idx and drv->play_dev_idx are all set to zero by pjmedia_aud_unregister_factory(). Thanks Alexander Klyushin for the report and the patch. |
|||||
#646 | Problem in quitting symbian_ua_gui app | bennylp | defect | normal | release-1.0.1 | applications |
Description |
|
|||||
#1352 | Problem when a capture device shared among multiple video calls | bennylp | defect | normal | release-2.0-alpha | pjsua-lib |
Description |
The maximum port count of video tee in video preview (for capture device sharing) is currently hardcoded to 2, while it should be set to at least (PJSUA_MAX_CALLS+1) so a capture device can be shared among multiple calls. Known symptoms:
|
|||||
#1429 | Problem with SDL on setting window's position when window is hidden | ming | defect | normal | release-2.0-beta | pjmedia-videodev |
Description |
Setting window's position when the window is hidden also sets the window's flag to shown (while the window is, actually, still hidden). This causes problems later when setting/querying the window's visibility. |
|||||
#758 | Problem with TCP transport on Symbian | bennylp | defect | normal | release-1.3 | pjlib |
Description |
It has been reported that there is problem with receiving data with TCP socket/transport on Symbian. The corresponding ticket for 1.0 branch is ticket #759 |
|||||
#759 | Problem with TCP transport on Symbian | bennylp | defect | normal | release-1.0.3 | common |
Description |
This is duplicate of ticket #758 for 1.0 branch. |
|||||
#1040 | Problem with getting the default IP interface on FreeBSD due to wrong argument to connect() (thanks Roman Grachev for the patch) | bennylp | defect | normal | release-1.6 | pjlib |
Description |
Reported in this post:
|
|||||
#1813 | Problem with media reinitialisation when using ICE | bennylp | defect | normal | release-2.4 | pjsua-lib |
Description |
In call media initialization, if ICE media transport completes immediately, we will directly proceed to finish the call media initialization process. If it doesn't, we will mark the call media to resume call media initialization when the ICE media transport completes, i.e. in the on_ice_complete() callback. However, if subsequently, during re-invite/media reinitialization, ICE media transport completes immediately, then on_ice_complete() callback will still follow the same path, i.e. directly resuming call media initialization in its on_ice_complete() callback. The behaviour is undesired since it will cause call media initialization to be called twice. |
|||||
#1488 | Problem with sending and receiving large (INVITE) requests over TCP on Android 4.0.2/4.0.3 possibly due to fragmentation | bennylp | defect | normal | release-2.1 | pjsip |
Description |
When the server sends a large (INVITE) request towards the Android client via TCP, PJSIP does not seem to process this request. Looking at the log there seems to be no activity regarding the incoming data. The OS may not notify us at all about the incoming data. Wireshark capture shows that server sent the INVITE request as TCP fragments and instead of receiving acknowledgement, it gets error from the client instead (see the attached capture). This has been tested with different wi-fi routers and 3G providers and the issue remains. Smaller SIP requests towards the client work as expected. Update: The same problem also occurs in the sending direction. PJSIP sends large (INVITE) request, the log shows it, but nothing actually gets transmitted. After this the TCP socket seems to be disfunctional until it is closed. |
|||||
#472 | Problem with setting up FD_SETSIZE | bennylp | defect | normal | release-0.9.0 | pjlib |
Description |
PJLIB assumes that FD_SETSIZE is always set-able in every OS, so <pj/config.h> always override this macro and set set it to PJ_IOQUEUE_MAX_HANDLES. While this assumption is correct for Windows (or Visual C rather), this is wrong for GLIBC. On GLIBC, FD_SETSIZE specifies the maximum number of file descriptors in fd_set, and the value is constant (see (1)). If we set this in PJLIB, we will get warning about macro being redefined when including GLIBC headers. So PJLIB should detect if FD_SETSIZE is indeed changeable, and only set it if it is. (1) http://www.gnu.org/software/libc/manual/html_node/Waiting-for-I_002fO.html#Waiting-for-I_002fO |
|||||
#1024 | Problem with snprintf with uClibc | bennylp | defect | normal | Known-Issues-and-Ideas | common |
Description |
PJSIP assumes that an snprintf of "%.*s" will nicely print nothing if the supplied arguments are 0 and NULL. Unfortunately some Libc library (such as uClibc) would print "(null)" instead. It has been suggested that PJSIP should be changed so that it uses empty string ("") instead of NULL when the string length is zero, but this would require modifications in too many places. And I feel that this is not the right solution anyway since I believe we comply with ANSI C. We suggest that uClibc should be fixed instead. The offending lines are in libc/stdio/_vprintf.c, just search for "(null)" and replace it with an empty string. Thanks Alfonso Ortega for the info. |
|||||
#1745 | Problems in building shared/dynamic libraries on MinGW | bennylp | defect | normal | release-2.2.1 | common |
Description |
Known issues:
Thanks Brian White for the report. |
|||||
#755 | Problems with IPv6 SIP transport (thanks Cedric Levequ for the report) | bennylp | defect | normal | release-1.1 | pjsip |
Description |
Several problems with IPv6 SIP transport:
|
|||||
#756 | Problems with IPv6 SIP transport (thanks Cedric Levequ for the report) | bennylp | defect | normal | release-1.0.2 | pjsip |
Description |
This is duplicate of ticket #755 for 1.0 branch. |
|||||
#249 | Problems with big memory blocks in Symbian | bennylp | defect | normal | Symbian-trunk-integration | common |
Description |
Symbian looks to having troubles when there are too many big blocks allocated by application, and unfortunately PJ likes to allocate memory in big blocks (4000 bytes or so) for the pool. The solution is to have the block size configurable during compile time. |
|||||
#250 | Problems with byte ordering in Symbian | bennylp | defect | normal | Symbian-trunk-integration | common |
Description |
Problem:
Presently, pj_htons() is a no-op (pj/sock_symbian.cpp:219): /* * Convert 16-bit value from host byte order to network byte order. */ PJ_DEF(pj_uint16_t) pj_htons(pj_uint16_t hostshort) { /* There's no difference in host/network byte order in Symbian */ return hostshort; } We have a deeper problem here. While it's true that the integers in TInetAddr are in host order (therefore pj_ntohx() and pj_htonx() can be made no-op), the pj_ntohx()/pj_htonx() are used by other functions so they must convert the host/network orders correctly. For now, a quick fix is to replace pj_htonx()/pj_ntohx() calls in STUN with something like swap16() and swap32(). Apart from this, unnfortunately pj_ntohx/pj_htonx are used in RTP and RTCP as well.. |
|||||
#483 | Problems with using multiple sound devices (with splitcomb) with PJSUA-LIB | nanang | defect | major | release-0.9.0 | pjmedia |
Description |
There have been some problems with using the splitter/combiner port (splitcomb) with PJSUA-LIB. Splitcomb typically is used on these scenarios:
For case a) above, one user has reported that when three audio devices are used (one connected directly to port 0 of the bridge and the other two via splitcombs), then there won't be any audio coming/going through the third sound device. Checking the log revealed that there are many overflow/underflow messages printed on the log. This only happens when C-Media USB Audio driver is used; if the generic USB audio driver is used, audio seems to be working fine. For case b), the user reported that audio was also broken, and there were lots of underflow/overflow messages printed to the log as well. |
|||||
#1135 | Processing of RTP padding bit (thanks Rafael Maia for the suggestion) | nanang | defect | normal | release-1.8.5 | pjmedia |
Description |
Currently padding bit in incoming RTP packets are ignored, potentially causing incorrect RTP payload processing. Also investigate if the padding bit should be used in outgoing RTP transmission. |
|||||
#1678 | Proper error handling in WAV writer | nanang | defect | normal | release-2.2 | pjmedia |
Description |
Some errors seems to be just trapped as assertion. |
|||||
#694 | Proper installation (make install) on GNU targets | bennylp | enhancement | normal | release-1.6 | common |
Description |
make install:
Limitations:
|
|||||
#1440 | Proper set up of RTCP compound packet (thanks Werner Dittmann for the report) | nanang | defect | normal | release-1.14 | pjmedia |
Description |
Original report can be found here. The problems reported:
RFC 3550 6.1:
|
|||||
#1271 | Protect all video features inside #if PJMEDIA_HAS_VIDEO macro | ming | enhancement | major | release-2.0-alpha | common |
#418 | Protect client registration session (regc) with mutex | bennylp | defect | major | release-0.9.0 | pjsip |
Description |
The original idea of not using mutex in regc was because operations should be serialized by 8-bit boolean flags, and (I heard) operation to 8-bit variables should be atomic. But it seems that with recent modifications/bug fixes in regc, this rule may not hold anymore (such as the timer, which I think was added only quite recently). |
|||||
#356 | Prototype and definition mismatch causing crash in sip_auth_server.c (thanks Truong Thanh Quang) | bennylp | defect | normal | release-0.8.0 | pjsip |
#1254 | Provide different doxygen documentation for different PJSIP versions in the website | ismangil | enhancement | major | release-2.0-alpha | common |
#1336 | Provide different doxygen documentation for different PJSIP versions in the website | bennylp | enhancement | normal | release-1.12 | common |
Description |
Copy of #1254 for 1.x |
|||||
#1306 | Publish non-100 provisional response retransmission interval setting | bennylp | enhancement | normal | release-1.12 | pjsip |
Description |
Non-100 provisional response retransmission interval setting, PJSIP_TSX_1XX_RETRANS_DELAY, is currently not published/documented. |
|||||
#856 | Put back the ICE candidate priority values according to the default values in the draft-mmusic-ice | bennylp | defect | normal | release-1.3 | pjnath |
#1708 | PyGUI: New Python GUI Application based on pjsua2+SWIG API | bennylp | enhancement | normal | release-2.2 | applications |
Description |
Python GUI Application based on pjsua2+SWIG API |
|||||
#93 | Python application blocks in sys.stdin.readline() because C module running on different thread is calling a blocking OS function | bennylp | defect | blocker | release-0.5.10 | applications |
Description |
On Linux (or at least my Linux), pjsua_app.py application will block forever on sys.stdin.readline(), and somehow this is related to the other thread calling py_pjsua.handle_events() (if this is commented, the keyboard input will function properly). |
|||||
#12 | Python binding for PJSUA-LIB | bennylp | task | major | common | |
Description |
As the title says.. |
|||||
#1694 | Python enhancement: added QoS and RTP settings in account config | bennylp | enhancement | normal | release-2.2 | python |
Description |
As the title says. Thanks Niels Klaas for the patch! |
|||||
#1701 | Python enhancement: added received message into incoming call callback | bennylp | enhancement | normal | release-2.2 | python |
Description |
As the title says. Note that only msg_info_info (pjsip_rx_data_get_info()) and msg_info_buffer (rdata.msg_info.msg_buf) attributes are implemented. Thanks Niels Klaas for the patch! |
|||||
#809 | Python module | bennylp | task | normal | release-1.2-QA | applications |
#108 | QA for release 0.5.10 | bennylp | defect | normal | release-0.5.10 | common |
#1963 | QoS for IPv6 for platform that supports IPV6_TCLASS | bennylp | enhancement | normal | release-2.6 | pjlib |
Description |
This patch changes the BSD sockets implementation of QoS to use IPV6_TCLASS for IPv6 sockets instead of IP_TOS. Summary of changes:
Thanks to Michele Cicciotti for the patch. |
|||||
#1964 | QoS for darwin OS which supports SO_NET_SERVICE_TYPE | bennylp | enhancement | normal | release-2.6 | pjlib |
Description |
The latest XNU kernel, shipped with iOS 10, Mac OS 10.11, AppleTV OS 10, etc. supports a new socket option, SO_NET_SERVICE_TYPE, a high level API for configuring a socket's QoS, which the OS will appropriately and transparently map to a DSCP or WMM priority depending on the network connection. This patch introduces a new implementation of the socket QoS functions specifically for the Darwin platform, that makes use of SO_NET_SERVICE_TYPE when available, and falls back to IP_TOS/IPV6_TCLASS elsewhere. Changes introduced by this patch:
Backwards/forwards compatibility considerations: on older Darwin platforms, the SDK doesn't define SO_NET_SERVICE_TYPE, and QoS functions always use IP_TOS/IPV6_TCLASS instead. Running code compiled with an old SDK on a new operating system has the same behavior as it had before, and like before with the caveat that, at some point in the future, the OS may start ignoring the value set with IP_TOS/IPV6_TCLASS on newer Darwin platforms, SO_NET_SERVICE_TYPE is always used. Running code compiled with a new SDK on an old operating system makes attempts to get/set SO_NET_SERVICE_TYPE fail with ENOPROTOOPT, which the QoS function translate to PJ_ENOTSUP, which is handled with a runtime fallback on the old IP_TOS/IPV6_TCLASS code. For future reference, mapping of pj_qos_type might be changed according to the new standard. Please have a look at the draft: https://tools.ietf.org/html/draft-ietf-tsvwg-ieee-802-11-00 Thanks to Michele Cicciotti for the patch. |
|||||
#1183 | QuickTime capture device for Mac OS X and iOS's capture and render device | ming | defect | normal | release-2.0-dev | pjmedia |
Description |
|
|||||
#860 | REFER is sent instead of SUBSCRIBE with Expires=0 when when transferee doesn't terminate subscription after call transfer | bennylp | defect | normal | release-1.3 | pjsip |
Description |
After call transfer is complete, normally transferee should terminate the subscription caused by REFER by sending NOTIFY with Subscription-State: terminated. When transferee doesn't do that, transferer should terminate it by sending SUBSCRIBE with Expires: 0. We don't do that, but instead we maintain the subscription, and when it is about to expire, we will send REFER again to refresh the subscription. |
|||||
#2188 | RTCP RR not generated if stream's encoder channel is paused | ming | defect | normal | release-2.9 | pjmedia |
Description |
If the encoder channel is paused and only decoding allowed, then RTCP RR reports are not being generated. |
|||||
#37 | RTCP discard statistic should be increased when invalid RTP packet is received | bennylp | enhancement | minor | release-0.5.10 | pjmedia |
Description |
Some application uses the RTCP RX statistic to detect whether remote call has disappeared, i.e. when no packet is received for some time then application assumes that remote call has gone missing. Some user agents (X-Lite in this case) send a one byte packet when the call is on-hold to keep the call running. So the receipt of such packet can be used to prevent application from deleting the call. Unfortunately, this one byte packet will not count on any RX statistic since it was not an RTP packet, so it doesn't pass the rtp_decode() function. The correct behavior (probably) is to count this invalid RTP packets as the discarded packets. |
|||||
#1439 | RTCP samples_per_frame setting for video stream | nanang | defect | normal | release-2.x | pjmedia |
Description |
The RTCP setting samples_per_frame/frame length in video stream should be calculated from frame-per-second and clock-rate setting, currently it is hardcoded to one. |
|||||
#740 | RTCP sender report should set RTP timestamp field (thanks to Yann for the report) | nanang | defect | normal | release-1.7 | pjmedia |
Description |
The report can be found here. |
|||||
#1103 | RTCP statistics updates (thanks Roman Puls for the suggestions) | nanang | enhancement | normal | release-1.7 | pjmedia |
Description |
Updates suggested:
|
|||||
#176 | RTP port number is not reset in pjsua media (thanks Binu KS) | bennylp | defect | minor | release-0.5.10.3 | pjsua-lib |
Description |
The RTP port number uses a static variable to keep track next available port to use, and the value is not cleared on pjsua_destroy(). This would cause next pjsua_init() after pjsua_destroy() to not use the RTP starting port setting. Thanks Binu K S <binuks at gmail> for reporting this. |
|||||
#177 | RTP port number is not reset in pjsua media (thanks Binu KS) | bennylp | defect | minor | release-0.7.0-rc1 | pjsua-lib |
Description |
See ticket #176 for details. |
|||||
#593 | RTP timestamp incremented incorrectly for multichannel audio. | nanang | defect | normal | release-1.0-rc1 | pjmedia |
Description |
Currently RTP timestamp is incremented based on number of samples processed, while this is considered to be incorrect for multichannel audio, as specified by RFC 3551 Section 4.1:
|
|||||
#467 | RTP/AVP vs RTP/SAVP negotiation | nanang | defect | major | release-0.9.0 | pjmedia |
Description |
Issues:
|
|||||
#544 | RTP/AVP/SAVP negotiation on UPDATE/re-INVITE | nanang | defect | normal | release-0.9.0 | pjsua-lib |
Description |
Case:
|
|||||
#1877 | Race condition between stopping ICE and sending data in ICE stream transport | bennylp | defect | normal | release-2.4.5 | pjnath |
Description |
Race condition between pj_ice_strans_stop_ice() and pj_ice_strans_sendto() Example scenario: 45:31.546 28834 D PJSIP: 45:31.556 pjsua_media.c .....Call 1: updating media.. 45:31.546 28834 D PJSIP: 45:31.563 pjsua_media.c ......Call 1: stream #0 (audio) unchanged. 45:31.546 28834 D PJSIP: 45:31.563 icetp00 ......Stopping ICE, reason=Remote answer doesn't support ICE 45:31.546 28834 D PJSIP: 45:31.563 icetp00 ......Destroying ICE session 0x76595fd4 Called from transport_ice.c: transport_media_start() -> set_no_ice() -> pj_ice_strans_stop_ice() Then there's a call to pj_ice_strans_sendto(), backtrace below: 45:31.996 1064 1064 I DEBUG : #00 pc 00329e6e /system/lib/PJSIP.so (pj_ice_sess_send_data+25) 45:31.996 1064 1064 I DEBUG : #01 pc 0032b371 /system/lib/PJSIP.so (pj_ice_strans_sendto+76) ... 45:31.996 1064 1064 I DEBUG : #06 pc 0033f33f /system/lib/PJSIP.so (ioqueue_dispatch_read_event+290) 45:31.996 1064 1064 I DEBUG : #07 pc 0033fd9f /system/lib/PJSIP.so (pj_ioqueue_poll+448) pj_ice_strans_sendto() tries to access the already destroyed ice session, hence resulting in crash. |
|||||
#1706 | Race condition fix in SIP transaction | bennylp | defect | normal | release-2.2 | pjsip |
Description |
Fix race condition which may cause the transaction to be destroyed before we have chance to lock the group lock. 10:19:57.797 (52608) [PJ:5] - tsx0x6d9db88c pjsua .State changed from Terminated to Destroyed, event=TIMER 10:19:57.797 (44440) [PJ:4] - pjsua_core.c media .RX <-- 1329 bytes Response msg 200/INVITE/cseq=26892 (rdata0x69dcc1cc) from TCP 216.115.27.170:5090: 10:19:57.798 (44440) [PJ:5] - tsx0x6d9db88c media .Incoming Response msg 200/INVITE/cseq=26892 (rdata0x69dcc1cc) in state Destroyed 10:19:57.818 (52608) [PJ:5] - tsx0x6d9db88c pjsua ..Transaction destroyed! The problem seems to happen because the transaction lock is destroyed after the first line, and then the media thread tries to lock it in the retransmitted response. |