Opened 8 years ago

Closed 8 years ago

#1935 closed defect (fixed)

Crash when account is deleted when sending SIP REGISTER message is on progress

Reported by: nanang Owned by: bennylp
Priority: normal Milestone: release-2.5.5
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no


Call stack:

0x1003beba0 pjsip_uri_get_uri + 4299287456
0x1003be814 pjsip_name_addr_print + 4299286548
0x1003be814 pjsip_name_addr_print + 4299286548
0x1003b1dc4 pjsip_uri_print + 4299234756
0x1003b4f44 pjsip_contact_hdr_print + 4299247428
0x1003b1e28 pjsip_hdr_print_on + 4299234856
0x1003b18b0 pjsip_msg_print + 4299233456
0x1003c5bbc pjsip_tx_data_encode + 4299316156
0x1003c8818 mod_on_tx_msg + 4299327512
0x1003c0110 endpt_on_tx_msg + 4299292944
0x1003c625c pjsip_transport_send + 4299317852
0x1003c407c stateless_send_transport_cb + 4299309180
0x1003c31a4 stateless_send_resolver_callback + 4299305380
0x1003c4f84 srv_resolver_cb + 4299313028
0x10033bc00 dns_callback + 4298750976
0x100335028 on_read_complete + 4298723368
0x10034055c ioqueue_dispatch_read_event + 4298769756
0x100342654 pj_ioqueue_poll + 4298778196


  1. PJSUA is started using nameserver.
  2. Send REGISTER to a hostname, so DNS SRV resolution will kick in.
  3. Suspend the process (e.g: go background on iOS), or perhaps can be simulated by network disconnection.
  4. Continue the process (e.g: go foreground on iOS) after some time, e.g: 4 minutes.
  5. REGISTER message sending gets timeout, i.e: 408 response.
  6. Delete the corresponding account (which initiated the registration).
  7. Crash will occur after DNS SRV is completed successfully and ready to send the REGISTER message, the crash occurs when printing the Contact header.

When account is deleted, pjsip_regc instance is also deleted including its memory pool, while some headers in txdata of REGISTER message, e.g: Contact header, are allocated using pjsip_regc pool.

Thanks Isac Souza for the report.

Change History (1)

comment:1 Changed 8 years ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed

In 5352:

Fix #1935: Avoid shallow-cloning header in SIP registration client as when sending REGISTER message is done asynchronously via DNS SRV resolution, pjsip_regc may get destroyed prematurely and some data allocated by pjsip_regc pool (e.g: Contact header) will become invalid too before the sending process is completed.

Note: See TracTickets for help on using tickets.