![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
Opened 10 years ago
Closed 10 years ago
#1834 closed defect (fixed)
Crash in SDP negotiator due to access to invalid memory space
| Reported by: | nanang | Owned by: | nanang |
|---|---|---|---|
| Priority: | normal | Milestone: | release-2.4 |
| Component: | pjmedia | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: | no |
Description
INVITE session uses an alternating set of memory pools where the last used is reset after a cycle of SDP negotiation, this requires SDP negotiator to retain some of its internal states using the current pool in each SDP negotiation cycle, however there is a scenario where it fails to retain internal state initial_sdp:
- normal SDP offer/answer + negotiation, this cycle uses pool 1
- send reoffer using pjmedia_sdp_neg_send_local_offer(), this cycle uses pool 2, unfortunately initial_sdp is not retained by pjmedia_sdp_neg_send_local_offer(), so after SDP nego, pool 1 is reset and initial_sdp becomes invalid
- receive reoffer, when answering using pjmedia_sdp_neg_set_local_answer(), the invalid initial_sdp is accessed.
Thanks Joshua Colp for the report and the patch.
Change History (1)
comment:1 Changed 10 years ago by nanang
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
In 5040: