Hi,
I am using pjsip 2.1.0 and sometimes I face crashes when I receive an
UPDATE and try to answer it.
My code uses pjsip invite API. The structure pjsip_inv_session has 2
pools to deal with SDP negotiation, pool_prov and pool_active, and
switches between them.
The pjmedia_sdp_neg structure (defined in sdp_neg.c) has a copy of the
initial local SDP in field initial_sdp.
When I receive an INVITE containing a SDP,
pjmedia_sdp_neg_set_local_answer is called and builds initial_sdp,
taking memory from pool_prov. At the end of the negotiation, pool_prov
and pool_active are swapped so initial_sdp is in pool_active. When I
receive an UPDATE, mod_inv.cb.on_rx_offer callback is called with the
offer. The callback calls pjsip_inv_set_sdp_answer with the local SDP
and pjsip_inv_set_sdp_answer calls pjmedia_sdp_neg_set_local_answer.
This function copies the origin.id from initial_sdp to neg_local_sdp.
Then, pool_prov and pool_active are swapped so now initial_sdp is in
pool_prov. But pool_prov is cleaned so initial_sdp points to an invalid
address. With the next UPDATE, pjmedia_sdp_neg_set_local_answer tries to
access initial_sdp->origin.id and sometimes the program crashes.
The crash is not systematic because a pool is a list of buffers and the
cleaning frees all the buffers except the first one. If initial_sdp is
allocated from the first buffer, it survives the cleaning. If
pjmedia_sdp_neg_modify_local_offer is called (because I want to send an
UPDATE with a different SDP), initial_sdp is not allocated from the head
of the list and the crash is systematic.
My workaround is to add a field initial_oid in pjmedia_sdp_neg structure
into which I copy initial_sdp->origin.id each time initial_sdp is
modified. And in pjmedia_sdp_neg_modify_local_offer, I retrieve the
origin.id from initial_oid.
--- ./pjmedia/src/pjmedia/sdp_neg.c 2013-02-21 21:49:19.000000000
+0100
+++ /opt/mmx/sip.d/my_sdp_neg.c 2014-06-05 18:20:46.000000000 +0200
@@ -35,6 +35,7 @@
pj_bool_t prefer_remote_codec_order;
pj_bool_t has_remote_answer;
pj_bool_t answer_was_remote;
+ pj_uint32_t initial_oid;
pjmedia_sdp_session *initial_sdp, /**< Initial local
SDP */
*active_local_sdp, /**< Currently active local
SDP. */
@@ -115,6 +116,7 @@
neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;
neg->prefer_remote_codec_order =
PJMEDIA_SDP_NEG_PREFER_REMOTE_CODEC_ORDER;
neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);
+ neg->initial_oid = neg->initial_sdp->origin.id;
neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);
*p_neg = neg;
@@ -154,6 +156,7 @@
status);
neg->initial_sdp = pjmedia_sdp_session_clone(pool, initial);
+ neg->initial_oid = neg->initial_sdp->origin.id;
neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, initial);
neg->state = PJMEDIA_SDP_NEG_STATE_WAIT_NEGO;
@@ -357,6 +360,7 @@
/* New_offer fixed */
neg->initial_sdp = new_offer;
+ neg->initial_oid = neg->initial_sdp->origin.id;
neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, new_offer);
return PJ_SUCCESS;
@@ -466,9 +470,10 @@
* Note that the version will be incremented in
* pjmedia_sdp_neg_negotiate()
*/
- neg->neg_local_sdp->origin.id = neg->initial_sdp->origin.id;
+ neg->neg_local_sdp->origin.id = neg->initial_oid;
} else {
neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);
+ neg->initial_oid = neg->initial_sdp->origin.id;
}
} else {
PJ_ASSERT_RETURN(neg->initial_sdp, PJMEDIA_SDPNEG_ENOINITIAL);
~
I hope a more elegant fix can be found.
Thanks
Bernard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/attachments/20140605/9dce0584/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sdp_neg.patch
Type: application/octet-stream
Size: 1982 bytes
Desc: sdp_neg.patch
URL: <http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/attachments/20140605/9dce0584/attachment.patch>
