Opened 4 years ago

Closed 4 years ago

#1809 closed defect (fixed)

Premature transaction destroy caused by DNS SRV resolver callback being called twice

Reported by: nanang Owned by: bennylp
Priority: normal Milestone: release-2.4
Component: pjlib-util Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

Scenario:

  1. run pjsua with one nameserver configured, the library uses the nameserver fine for sometime and it successfully stores some entries in the cache, until somehow the nameserver is down and the library marks it as bad
  2. a registration refresh is about to be done, DNS SRV resolver is used for resolving the SIP registrar address and the DNS server returns two entries from the cache, say server1 and server2
  3. the resolver then tries to resolve the A record of those two entries, which eventually the server1 cannot be resolved due to no working nameserver and the server2 is successfully resolved from the cache
  4. then assertion happens with the following call stack trace:
    #4  0x006edea6 in __assert_fail () from /lib/libc.so.6
    #5  0x082d7281 in pj_mutex_unlock (mutex=0xf0e3ee70) at ../src/pj/os_core_unix.c:1287
    #6  0x082d6c7e in pj_atomic_inc_and_get (atomic_var=0xf0e3ee68) at ../src/pj/os_core_unix.c:918
    #7  0x082d6c94 in pj_atomic_inc (atomic_var=0xf0e3ee68) at ../src/pj/os_core_unix.c:928
    #8  0x082ab7c0 in pjsip_tx_data_add_ref (tdata=0xf0e3eb0c) at ../src/pjsip/sip_transport.c:463
    #9  0x082ac370 in pjsip_transport_send (tr=0xa57fad4, tdata=0xf0e3eb0c, addr=0xf0e3fb98, addr_len=16, token=0xf0e3fb14, cb=0x82ba0cf <transport_callback>) at ../src/pjsip/sip_transport.c:827
    #10 0x082ba40c in tsx_send_msg (tsx=0xf0e3fb14, tdata=0xf0e3eb0c) at ../src/pjsip/sip_transaction.c:2037
    #11 0x082baab9 in tsx_retransmit (tsx=0xf0e3fb14, resched=1) at ../src/pjsip/sip_transaction.c:2270
    #12 0x082baebf in tsx_on_state_calling (tsx=0xf0e3fb14, event=0xf4bfe188) at ../src/pjsip/sip_transaction.c:2401
    #13 0x082b8a72 in tsx_timer_callback (theap=0xa5800c4, entry=0xf0e3fc10) at ../src/pjsip/sip_transaction.c:1153
    #14 0x082e3a7a in pj_timer_heap_poll (ht=0xa5800c4, next_delay=0xf4bfe238) at ../src/pj/timer.c:643
    #15 0x082a588c in pjsip_endpt_handle_events2 (endpt=0xa57fefc, max_timeout=0xf4bfe294, p_count=0x0) at ../src/pjsip/sip_endpoint.c:712
    

After investigation, we found a bug in DNS SRV resolver, there is possibility of the application callback being called twice, this is quite fatal as when the application is transaction module, a transaction may be destroyed prematurely (as transaction ref counter gets decremented twice while it should be once only!).

Thanks Andrey Kovalenko for the report.

Change History (1)

comment:1 Changed 4 years ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed

In r4971:

  • Fixed DNS SRV resolver bug that application callback may be called twice.
Note: See TracTickets for help on using tickets.