Opened 10 years ago

Closed 10 years ago

#718 closed defect (fixed)

Crash when handling incoming request without rport (thanks Norma Steveley and Seth Hinze for the report)

Reported by: bennylp Owned by: bennylp
Priority: major Milestone: release-1.1
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description (last modified by bennylp)

The Microsoft RTC stack does not put a rport in its request via which causes pjsip_get_response_addr() to set the res_addr.transport to NULL. tsx_on_state_proceeding_uas() then dereferences the transport w/o checking for NULL, which, of course, causes the unhandled exception/segmentation fault.

The crash occurs when 1) pjsip responds to a BYE it received from the UDP transport, where the remote SIP stack that sent the BYE does not include the rport in the Via header and 2) the UDP transport's sendto call in pjsup that sends the 200 Response returns pending. Here is the sequence of events:

  1. pjsip receives a BYE
  2. the transaction layer initializes a pjsip_transaction from the rdata
  3. The transport layer tries to get the response addr by calling pjsip_get_response_addr()
  4. Inside pjsip_get_response_addr(), the incoming transport is not reliable and the rport is -1 (not set), the response transport is set to NULL
  5. The 200 Response is sent to the UDP transport via the endpoint resolver by pjsip_endpt_send_request_stateless()
  6. udp_send_msg returns PJ_EPENDING
  7. the call stack returns to tsx_on_state_proceeding_uas() where the restransmit timer is scheduled
  8. Pjsip checks to see if tsx->transport is reliable, but tsx->transport is NULL

Now, if in step 6, udp_send_msg returns PJ_SUCCESS, the send_msg_callback is called, inside that callback tsx->transport is set and when the call stack returns to tsx_on_state_proceeding_uas() the transport reliability check does not crash.

Thank you Norma and Seth again for the detailed report and patch suggestion.

Change History (3)

comment:1 Changed 10 years ago by bennylp

  • Description modified (diff)
  • Summary changed from Segmentaion fault when handling incoming request without rport (thanks Norma Steveley and Seth Hinze for the report) to Crash when handling incoming request without rport (thanks Norma Steveley and Seth Hinze for the report)

comment:2 Changed 10 years ago by bennylp

The corresponding ticket for 1.0 branch is #719.

comment:3 Changed 10 years ago by bennylp

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r2442:

  • SIP transaction should use is_reliable flag instead of accessing the transport
  • added couple of scripts in the unit-test framework to test receiving requests (INVITE and non-INVITE) without rport. Note that this may not always reproduce the symptom since usually socket sendto() returns PJ_SUCCESS on most platforms.
Note: See TracTickets for help on using tickets.