Opened 7 years ago

Closed 7 years ago

#2007 closed defect (fixed)

Possible crash when using session timer due to the early release of dialog pool

Reported by: riza Owned by: bennylp
Priority: normal Milestone: release-2.7
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

There is a possible issue in the sip_timer.c::timer_cb(), more specifically, in the last log call made in that method.

This since the dialog that corresponds to the pjsip_inv_session object is unlocked, and the dialog may be destroyed in the consecutive call to pjsip_inv_send_msg(). Since the invite session object’s memory pool simply points to the dialog’s memory pool (and the invite session object itself is allocated from the same pool), this memory may thereby already have been freed once the log call is executed.

The issue was encountered when testing the session expiration timeout: after a call has been established from A to B, B’s network connection is cut, and the session expiration timeout is awaited. Once the timer timeouts, the case above seems to occur.

Thanks to Christoffer Lauri and Fredrik Hansson for the report.

Change History (1)

comment:1 Changed 7 years ago by riza

  • Resolution set to fixed
  • Status changed from new to closed

In 5576:

Fix #2007: Fix Possible crash when using session timer due to the early release of dialog pool.

Note: See TracTickets for help on using tickets.