Opened 3 years ago

Closed 3 years ago

#1901 closed defect (fixed)

Fix crash when async_cnt is set to a value greater than one for SIP TLS transport

Reported by: ming Owned by: bennylp
Priority: normal Milestone: release-2.5
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description (last modified by ming)

The API pjsip_tls_transport_start()/start2() accepts parameter async_cnt which, according to the doc, specifies the number of simultaneous asynchronous accept() operations to be supported. However, the newly-created incoming secure sockets, which will be created in on_accept_complete() callback, will also have the same async_cnt. This will result in asynchronous receive operations as well, which is undesirable since pj_ssl_sock_start_read2() is called only with a single buffer (i.e. rdata->pt_info.packet).

As a result, this may cause crash such as reported in https://issues.asterisk.org/jira/browse/ASTERISK-25615, with a stack trace like this:

    frame #2: 0x00007fff8859c62c libssl.0.9.8.dylib`ssl3_read + 156
    frame #3: 0x000000010020748b pjsua-x86_64-apple-darwin15.0.0`asock_on_data_read(asock=0x0000000101942348, data=0x000000010203c828, size=394, status=0, remainder=0x000070000052e510) + 363 at ssl_sock_ossl.c:1596
    frame #4: 0x00000001001f5aa9 pjsua-x86_64-apple-darwin15.0.0`ioqueue_on_read_complete(key=0x0000000101031dd8, op_key=0x0000000102037170, bytes_read=394) + 217 at activesock.c:493
    frame #5: 0x00000001001ea985 pjsua-x86_64-apple-darwin15.0.0`ioqueue_dispatch_read_event(ioqueue=0x00000001010358d8, h=0x0000000101031dd8) + 1029 at ioqueue_common_abs.c:605
    frame #6: 0x00000001001ed93f pjsua-x86_64-apple-darwin15.0.0`pj_ioqueue_poll(ioqueue=0x00000001010358d8, timeout=0x000070000052ee20) + 1727 at ioqueue_select.c:981

Change History (2)

comment:1 Changed 3 years ago by ming

  • Description modified (diff)
  • Summary changed from Support simultaneous asynchronous read operations for SIP TCP/TLS transport (i.e. support async_cnt > 1) to Fix crash when async_cnt is set to a value greater than one for SIP TLS transport

comment:2 Changed 3 years ago by ming

  • Resolution set to fixed
  • Status changed from new to closed

In 5214:

Fixed #1901: crash when async_cnt is set to a value greater than one for SIP TLS transport

Note: See TracTickets for help on using tickets.