osmo-sip-connector.git branch master updated. 49880ddf740a7af47a1247dbff9acb34087b6afc - osmocom-commitlog

6 Mar 2017


      This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "MNCC <-> SIP bridge".
The branch, master has been updated
       via  49880ddf740a7af47a1247dbff9acb34087b6afc (commit)
       via  068f54795495d478e51d40dfcd390ce005933f9d (commit)
      from  7166d0f448eae451b1a6287b522c0fc82387b05b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://cgit.osmocom.org/osmo-sip-connector/commit/?id=49880ddf740a7af47a1247...
commit 49880ddf740a7af47a1247dbff9acb34087b6afc
Author: Holger Hans Peter Freyther holger@moiji-mobile.com
Date:   Mon Mar 6 10:02:37 2017 +0100
mncc: Fix use after free on mncc socket disconnection
When the MNCC socket breaks down we would release all callds but when
    there is no remote call the call would be released before
if (call->remote)
                    ...
is being executed leading to a use after free. Fix it by copying the
    legs first and assuming the call will be gone after that.
==3618== Invalid read of size 4
    ==3618==    at 0x804A18A: app_mncc_disconnected (app.c:49)
    ==3618==    by 0x804B52D: close_connection (mncc.c:255)
    ==3618==    by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145)
    ==3618==    by 0x804CC86: check_setup (mncc.c:435)
    ==3618==    by 0x804CC86: mncc_data (mncc.c:795)
    ==3618==    by 0x42FCF94: osmo_fd_disp_fds (select.c:167)
    ==3618==    by 0x804D1F2: evpoll (evpoll.c:92)
    ==3618==    by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
    ==3618==    by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
    ==3618==    by 0x8049AA6: main (main.c:171)
    ==3618==  Address 0x47f3258 is 64 bytes inside a block of size 76 free'd
    ==3618==    at 0x402A3A8: free (vg_replace_malloc.c:473)
    ==3618==    by 0x42E7FD1: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.5)
    ==3618==    by 0x804A3FD: call_leg_release (call.c:87)
    ==3618==    by 0x804A186: app_mncc_disconnected (app.c:48)
    ==3618==    by 0x804B52D: close_connection (mncc.c:255)
    ==3618==    by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145)
    ==3618==    by 0x804CC86: check_setup (mncc.c:435)
    ==3618==    by 0x804CC86: mncc_data (mncc.c:795)
    ==3618==    by 0x42FCF94: osmo_fd_disp_fds (select.c:167)
    ==3618==    by 0x804D1F2: evpoll (evpoll.c:92)
    ==3618==    by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
    ==3618==    by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
    ==3618==    by 0x8049AA6: main (main.c:171)
    ==3618==
Change-Id: I1889013ed315f896e4295358f6daf76ce523dc2a
http://cgit.osmocom.org/osmo-sip-connector/commit/?id=068f54795495d478e51d40...
commit 068f54795495d478e51d40dfcd390ce005933f9d
Author: Holger Hans Peter Freyther holger@moiji-mobile.com
Date:   Mon Mar 6 09:50:26 2017 +0100
call: Fix call release handling on mncc connection loss
The app_mncc_disconnected will be called when the MNCC socket is down
    and lead to all calls being released. It directly released the call but
    did not stop the MNCC CMD timer. Go through the call release callback.
==3618==    at 0x804A18A: app_mncc_disconnected (app.c:49)
    ==3618==    by 0x804B52D: close_connection (mncc.c:255)
This lead to the timer not being removed:
==3593== Invalid read of size 4
    ==3593==    at 0x4305D42: rb_first (rbtree.c:294)
    ==3593==    by 0x42FCB37: osmo_timers_update (timer.c:220)
    ==3593==    by 0x804D1D5: evpoll (evpoll.c:89)
    ==3593==    by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
    ==3593==    by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
    ==3593==    by 0x8049AA6: main (main.c:171)
    ==3593==  Address 0x47f3380 is 232 bytes inside a block of size 272 free'd
    ==3593==    at 0x402A3A8: free (vg_replace_malloc.c:473)
    ==3593==    by 0x42E7FD1: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.5)
    ==3593==    by 0x804A3C4: call_leg_release (call.c:83)
    ==3593==    by 0x804A188: app_mncc_disconnected (app.c:48)
    ==3593==    by 0x804B52D: close_connection (mncc.c:255)
    ==3593==    by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145)
    ==3593==    by 0x804CC86: check_setup (mncc.c:435)
    ==3593==    by 0x804CC86: mncc_data (mncc.c:795)
    ==3593==    by 0x42FCF94: osmo_fd_disp_fds (select.c:167)
    ==3593==    by 0x804D1F2: evpoll (evpoll.c:92)
    ==3593==    by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
    ==3593==    by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
    ==3593==    by 0x8049AA6: main (main.c:171)
Change-Id: I2e8e14b3983f84c9be046bbd96bbcd1e5766993e
-----------------------------------------------------------------------
Summary of changes:
 src/app.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)
hooks/post-receive
-- 
MNCC <-> SIP bridge