![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
Opened 15 years ago
Closed 15 years ago
#718 closed defect (fixed)
Crash when handling incoming request without rport (thanks Norma Steveley and Seth Hinze for the report)
| Reported by: | bennylp | Owned by: | bennylp |
|---|---|---|---|
| Priority: | major | Milestone: | release-1.1 |
| Component: | pjsip | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: |
Description (last modified by bennylp)
The Microsoft RTC stack does not put a rport in its request via which causes pjsip_get_response_addr() to set the res_addr.transport to NULL. tsx_on_state_proceeding_uas() then dereferences the transport w/o checking for NULL, which, of course, causes the unhandled exception/segmentation fault.
The crash occurs when 1) pjsip responds to a BYE it received from the UDP transport, where the remote SIP stack that sent the BYE does not include the rport in the Via header and 2) the UDP transport's sendto call in pjsup that sends the 200 Response returns pending. Here is the sequence of events:
- pjsip receives a BYE
- the transaction layer initializes a pjsip_transaction from the rdata
- The transport layer tries to get the response addr by calling pjsip_get_response_addr()
- Inside pjsip_get_response_addr(), the incoming transport is not reliable and the rport is -1 (not set), the response transport is set to NULL
- The 200 Response is sent to the UDP transport via the endpoint resolver by pjsip_endpt_send_request_stateless()
- udp_send_msg returns PJ_EPENDING
- the call stack returns to tsx_on_state_proceeding_uas() where the restransmit timer is scheduled
- Pjsip checks to see if tsx->transport is reliable, but tsx->transport is NULL
Now, if in step 6, udp_send_msg returns PJ_SUCCESS, the send_msg_callback is called, inside that callback tsx->transport is set and when the call stack returns to tsx_on_state_proceeding_uas() the transport reliability check does not crash.
Thank you Norma and Seth again for the detailed report and patch suggestion.
Change History (3)
comment:1 Changed 15 years ago by bennylp
- Description modified (diff)
- Summary changed from Segmentaion fault when handling incoming request without rport (thanks Norma Steveley and Seth Hinze for the report) to Crash when handling incoming request without rport (thanks Norma Steveley and Seth Hinze for the report)
comment:2 Changed 15 years ago by bennylp
comment:3 Changed 15 years ago by bennylp
- Resolution set to fixed
- Status changed from new to closed
Fixed in r2442:
- SIP transaction should use is_reliable flag instead of accessing the transport
- added couple of scripts in the unit-test framework to test receiving requests (INVITE and non-INVITE) without rport. Note that this may not always reproduce the symptom since usually socket sendto() returns PJ_SUCCESS on most platforms.
The corresponding ticket for 1.0 branch is #719.