Opened 6 years ago

Closed 6 years ago

#2104 closed defect (fixed)

Prevent double free on Failed STUN resolution

Reported by: riza Owned by: bennylp
Priority: normal Milestone: release-2.8
Component: pjsua-lib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

Failed STUN resolution when starting the library might lead to a crash caused by double free.

Scenario:

  1. Set stun_ignore_failure to PJ_FALSE.
  2. Turn networking OFF (Linux nework connections menu)
  3. Start the application
  4. pjsua_core.c !.STUN resolution failed: gethostbyname() has returned error (PJ_ERESOLVE).
  5. pjsua_core.c .Error resolving STUN server: gethostbyname() has returned error (PJ_ERESOLVE) [status=70018]
  6. double free, crash

Internal flow:

  • pjsua_init() -> resolve_stun_server() : fail -> schedule timer to call destroy_stun_resolve_cb()
  • exit pjsua_init() -> destroy_stun_resolve() -> shedule new timer to destroy STUN session. The previous timer entry hasn't been processed by worker thread
  • double free and crash in busy_sleep()

Thank you to Denis Poltorak for the report.

Change History (3)

comment:1 Changed 6 years ago by riza

In r5762:

Fixed #2104: Prevent double free on Failed STUN resolution.

comment:2 Changed 6 years ago by riza

In 5765:

Re #2104: Make sure that STUN session is destroyed and prevent new timer for
STUN destruction on pjsua_destroy2().

comment:3 Changed 6 years ago by riza

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.