Opened 8 years ago
Closed 8 years ago
#1959 closed defect (fixed)
Add reference counter to pjsip_inv_session to avoid race condition
Reported by: | riza | Owned by: | bennylp |
---|---|---|---|
Priority: | normal | Milestone: | release-2.6 |
Component: | pjsip | Version: | trunk |
Keywords: | Cc: | ||
Backport to 1.x milestone: | Backported: | no |
Description
When a transport error occured on an INVITE session
the stack calls on_tsx_state_changed with new
state PJSIP_INV_STATE_DISCONNECTED and immediately
destroys the INVITE session.
At the same time this INVITE session could being
processed on another thread.
This thread could use the session's memory pools which
were already freed, so we get segfault.
This ticket adds a reference counter and new functions:
pjsip_inv_add_ref and pjsip_inv_dec_ref.
The INVITE session is destroyed only when the reference
counter has reached zero.
To avoid race condition an application should call
pjsip_inv_add_ref/pjsip_inv_dec_ref.
Scenario using TLS:
- The incoming INVITE received, pjsip called an on_rx_request.
- An application pushed the INVITE session's data to a task queue on the on_rx_request.
- The application popped the task and started processing INVITE session on different thread.
- The TCP/TLS connection has been disconnected (transport error), as result PJSIP_TSX_STATE_TERMINATED.
- The pjsip called inv_set_state with state PJSIP_INV_STATE_DISCONNECTED.
- The pjsip called on_tsx_state_changed.
- The application received on_tsx_state_changed, but on different thread then this INVITE session was being processed.
- The pjsip destroyed the INVITE session while application was still processing this session.
Thanks to Alexei Gradinari for the original patch
Change History (2)
comment:1 Changed 8 years ago by riza
comment:2 Changed 8 years ago by riza
- Resolution set to fixed
- Status changed from new to closed
In 5435: