When the MNCC socket breaks down we would release all callds but when
there is no remote call the call would be released before
if (call->remote)
...
is being executed leading to a use after free. Fix it by copying the
legs first and assuming the call will be gone after that.
==3618== Invalid read of size 4
==3618== at 0x804A18A: app_mncc_disconnected (app.c:49)
==3618== by 0x804B52D: close_connection (mncc.c:255)
==3618== by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145)
==3618== by 0x804CC86: check_setup (mncc.c:435)
==3618== by 0x804CC86: mncc_data (mncc.c:795)
==3618== by 0x42FCF94: osmo_fd_disp_fds (select.c:167)
==3618== by 0x804D1F2: evpoll (evpoll.c:92)
==3618== by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3618== by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3618== by 0x8049AA6: main (main.c:171)
==3618== Address 0x47f3258 is 64 bytes inside a block of size 76 free'd
==3618== at 0x402A3A8: free (vg_replace_malloc.c:473)
==3618== by 0x42E7FD1: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.5)
==3618== by 0x804A3FD: call_leg_release (call.c:87)
==3618== by 0x804A186: app_mncc_disconnected (app.c:48)
==3618== by 0x804B52D: close_connection (mncc.c:255)
==3618== by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145)
==3618== by 0x804CC86: check_setup (mncc.c:435)
==3618== by 0x804CC86: mncc_data (mncc.c:795)
==3618== by 0x42FCF94: osmo_fd_disp_fds (select.c:167)
==3618== by 0x804D1F2: evpoll (evpoll.c:92)
==3618== by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3618== by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3618== by 0x8049AA6: main (main.c:171)
==3618==
Change-Id: I1889013ed315f896e4295358f6daf76ce523dc2a
The app_mncc_disconnected will be called when the MNCC socket is down
and lead to all calls being released. It directly released the call but
did not stop the MNCC CMD timer. Go through the call release callback.
==3618== at 0x804A18A: app_mncc_disconnected (app.c:49)
==3618== by 0x804B52D: close_connection (mncc.c:255)
This lead to the timer not being removed:
==3593== Invalid read of size 4
==3593== at 0x4305D42: rb_first (rbtree.c:294)
==3593== by 0x42FCB37: osmo_timers_update (timer.c:220)
==3593== by 0x804D1D5: evpoll (evpoll.c:89)
==3593== by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3593== by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3593== by 0x8049AA6: main (main.c:171)
==3593== Address 0x47f3380 is 232 bytes inside a block of size 272 free'd
==3593== at 0x402A3A8: free (vg_replace_malloc.c:473)
==3593== by 0x42E7FD1: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.5)
==3593== by 0x804A3C4: call_leg_release (call.c:83)
==3593== by 0x804A188: app_mncc_disconnected (app.c:48)
==3593== by 0x804B52D: close_connection (mncc.c:255)
==3593== by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145)
==3593== by 0x804CC86: check_setup (mncc.c:435)
==3593== by 0x804CC86: mncc_data (mncc.c:795)
==3593== by 0x42FCF94: osmo_fd_disp_fds (select.c:167)
==3593== by 0x804D1F2: evpoll (evpoll.c:92)
==3593== by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3593== by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1)
==3593== by 0x8049AA6: main (main.c:171)
Change-Id: I2e8e14b3983f84c9be046bbd96bbcd1e5766993e
In preparation of a better show calls VTY command it is of interest
to know which number has been dialed by whom. For that store the
source/dest in there.
MNCC: Change the talloc root context to the call and don't try to
free the strings after calling the routing code
SIP: Use talloc_strdup to duplicate them.
Call: Add null check because the talloc_strdup of the SIP layer
could have failed.
Add NULL check in the case of MNCC disconnect that was missing and
add an assert to show that at this point the other leg must exist.
Fixes: CID#80799, CID#80800, 80801
Initiate the setup request that should result in the call getting
all the way to the connected state at some point in time. The device
I test with sadly rejects the call too soon.
Fix releasing of the leg in case it is not routable and make the
differentation if we initiated the invite (send CANCEL) or send
a final error. The error code was randomly picked and once we have
an enum of causes we can decide where to map it to.
In case the MNCC server is crashing we need to release all calls,
use the event emitted by the MNCC connection and iterate over all
calls and call the release function.
Holger Hans Peter Freyther