diff options
| author | mmichelson <mmichelson@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-03-14 16:44:08 +0000 |
|---|---|---|
| committer | mmichelson <mmichelson@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-03-14 16:44:08 +0000 |
| commit | bda5fe3c45aa10a893a762dafa0a44ded172b508 (patch) | |
| tree | 99d5222ebb559e75f11360d31de99d48eeaf82b2 /channels | |
| parent | 343f8b733db9b43c0d01fb8a9c377a8cf3d99048 (diff) | |
Fix a race condition in the SIP packet scheduler which could cause a crash.
chan_sip uses the scheduler API in order to schedule retransmission of reliable
packets (such as INVITES). If a retransmission of a packet is occurring, then the
packet is removed from the scheduler and retrans_pkt is called. Meanwhile, if
a response is received from the packet as previously transmitted, then when we
ACK the response, we will remove the packet from the scheduler and free the packet.
The problem is that both the ACK function and retrans_pkt attempt to acquire the
same lock at the beginning of the function call. This means that if the ACK function
acquires the lock first, then it will free the packet which retrans_pkt is about to
read from and write to. The result is a crash.
The solution:
1. If the ACK function fails to remove the packet from the scheduler and the retransmit
id of the packet is not -1 (meaning that we have not reached the maximum number of
retransmissions) then release the lock and yield so that retrans_pkt may acquire the
lock and operate.
2. Make absolutely certain that the ACK function does not recursively lock the lock in
question. If it does, then releasing the lock will do no good, since retrans_pkt will
still be unable to acquire the lock.
(closes issue #12098)
Reported by: wegbert
(closes issue #12089)
Reported by: PTorres
Patches:
12098-putnopvutv3.patch uploaded by putnopvut (license 60)
Tested by: jvandal
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@108737 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'channels')
| -rw-r--r-- | channels/chan_sip.c | 33 |
1 files changed, 27 insertions, 6 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c index a3ffab986..330fc737e 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -2137,7 +2137,8 @@ static int sip_cancel_destroy(struct sip_pvt *p) return res; } -/*! \brief Acknowledges receipt of a packet and stops retransmission */ +/*! \brief Acknowledges receipt of a packet and stops retransmission + * called with p locked*/ static void __sip_ack(struct sip_pvt *p, int seqno, int resp, int sipmethod) { struct sip_pkt *cur, *prev = NULL; @@ -2148,7 +2149,6 @@ static void __sip_ack(struct sip_pvt *p, int seqno, int resp, int sipmethod) msg = sip_methods[sipmethod].text; - ast_mutex_lock(&p->lock); for (cur = p->packets; cur; prev = cur, cur = cur->next) { if ((cur->seqno == seqno) && ((ast_test_flag(cur, FLAG_RESPONSE)) == resp) && ((ast_test_flag(cur, FLAG_RESPONSE)) || @@ -2165,18 +2165,37 @@ static void __sip_ack(struct sip_pvt *p, int seqno, int resp, int sipmethod) if (sipdebug && option_debug > 3) ast_log(LOG_DEBUG, "** SIP TIMER: Cancelling retransmit of packet (reply received) Retransid #%d\n", cur->retransid); } - AST_SCHED_DEL(sched, cur->retransid); + /* This odd section is designed to thwart a + * race condition in the packet scheduler. There are + * two conditions under which deleting the packet from the + * scheduler can fail. + * + * 1. The packet has been removed from the scheduler because retransmission + * is being attempted. The problem is that if the packet is currently attempting + * retransmission and we are at this point in the code, then that MUST mean + * that retrans_pkt is waiting on p's lock. Therefore we will relinquish the + * lock temporarily to allow retransmission. + * + * 2. The packet has reached its maximum number of retransmissions and has + * been permanently removed from the packet scheduler. If this is the case, then + * the packet's retransid will be set to -1. The atomicity of the setting and checking + * of the retransid to -1 is ensured since in both cases p's lock is held. + */ + while (cur->retransid > -1 && ast_sched_del(sched, cur->retransid)) { + ast_mutex_unlock(&p->lock); + usleep(1); + ast_mutex_lock(&p->lock); + } free(cur); break; } } - ast_mutex_unlock(&p->lock); if (option_debug) ast_log(LOG_DEBUG, "Stopping retransmission on '%s' of %s %d: Match %s\n", p->callid, resp ? "Response" : "Request", seqno, res == FALSE ? "Not Found" : "Found"); } /*! \brief Pretend to ack all packets - * maybe the lock on p is not strictly necessary but there might be a race */ + * called with p locked */ static void __sip_pretend_ack(struct sip_pvt *p) { struct sip_pkt *cur = NULL; @@ -7469,12 +7488,14 @@ static int sip_reg_timeout(const void *data) /* Unlink us, destroy old call. Locking is not relevant here because all this happens in the single SIP manager thread. */ p = r->call; + ast_mutex_lock(&p->lock); if (p->registry) ASTOBJ_UNREF(p->registry, sip_registry_destroy); r->call = NULL; ast_set_flag(&p->flags[0], SIP_NEEDDESTROY); /* Pretend to ACK anything just in case */ - __sip_pretend_ack(p); /* XXX we need p locked, not sure we have */ + __sip_pretend_ack(p); + ast_mutex_unlock(&p->lock); } /* If we have a limit, stop registration and give up */ if (global_regattempts_max && (r->regattempts > global_regattempts_max)) { |