crash in pjmedia_sdp_neg_set_local_answer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I am using PJSIP 2.3 and sometimes I face crashes when I receive a third INVITE (equivalent to UPDATE). The scenario is:

1)      INVITE with SDP received then 200/OK with SDP sent

2)      INVITE with no SDP received. 200/OK with SDP sent and ACK with SDP received.

3)      INVITE with SDP received

My code uses PJSIP invite API. The structure pjsip_inv_session has 2 pools to deal with SDP negotiation, pool_prov and pool_active, and switches between them after each negotiation.
The pjmedia_sdp_neg structure (defined in sdp_neg.c) has a copy of the initial local SDP in field initial_sdp.

When I receive the first INVITE, pjmedia_sdp_neg_set_local_answer is called and builds initial_sdp, taking memory from pool_prov. At the end of the negotiation, pool_prov and pool_active are swapped so initial_sdp is in pool_active. Pool_prov is cleaned.
When the 2nd INVITE arrives, with no SDP, The API inserts a SDP into the answer, using pjmedia_sdp_neg_send_local_offer. This function does not touch initial_sdp. When the ACK, with SDP, is received, negotiation is done and buffers are swapped so initial_sdp is in pool_prov and cleaned.
For the 3rd INVITE, with SDP, mod_inv.cb.on_rx_offer callback is called with the offer. The callback calls pjsip_inv_set_sdp_answer with the local SDP and pjsip_inv_set_sdp_answer calls pjmedia_sdp_neg_set_local_answer which tries to duplicate initial_sdp. But it was cleaned at the end of the previous negotiation?

My workaround is to clone initial_sdp in pjmedia_sdp_neg_send_local_offer, but I am not sure it is sufficient:

--- /appli/mmx/pjsip/pjproject-2.3/pjmedia/src/pjmedia/sdp_neg.c        2014-07-09 08:43:32.000000000 +0200
+++ my_sdp_neg.c        2015-04-23 12:08:44.000000000 +0200
@@ -427,7 +427,9 @@
        neg->neg_local_sdp = pjmedia_sdp_session_clone(pool,
                                                       neg->active_local_sdp);
        *offer = neg->active_local_sdp;
-
+       if (neg->initial_sdp)
+           neg->initial_sdp = pjmedia_sdp_session_clone(pool,
+                                                        neg->initial_sdp);
     } else {
        /* We assume that we're in STATE_LOCAL_OFFER.
         * In this case set the neg_local_sdp as the offer.

Thanks
Bernard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/attachments/20150423/33d42af6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sdp_neg.patch
Type: application/octet-stream
Size: 533 bytes
Desc: sdp_neg.patch
URL: <http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/attachments/20150423/33d42af6/attachment.patch>
[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux