<div dir="ltr">Hey Daniel,<div><br></div><div>This was my mistake, I was looking at an old branch I had of dialog module. I see the reference counting was added whenever a dialog is added to the timer list.</div><div><br></div>
<div style>Cheers</div><div style>Jason</div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 21, 2013 at 12:14 AM, Daniel-Constantin Mierla <span dir="ltr"><<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hello,<div><div class="h5"><br>
<br>
<div>On 8/16/13 4:17 PM, Jason Penton wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>It seems to me that there is a possible race condition in
dialog module that can potentially cause segfault. Let me
explain my thinking.</div>
<div><br>
</div>
<div>In the dlg_timer routine we call get_expired_dlgs
(line 4). This function returns a list of dlg_tl's that have
expired. This code is executed in the timer process and I
can't see any reason why if a dialog is terminated (user hangs
up) at the same time as the expiry timer fires that the dialog
can't be nuked between lines 4 and 5 below. This will
ultimately result in segfault in the later lines (5 and
onwards) or in the specific timer_hdl callback function where
the dialog is retrieved using some pointer arithmetic....</div>
<div><br>
</div>
<div><span style="font-family:'courier new',monospace">1.
void dlg_timer_routine(unsigned int ticks , void * attr)</span><br>
</div>
<div>
<div><font face="courier new, monospace">2. {</font></div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">3. </span>struct dlg_tl *tl,
*ctl;</font></div>
<div><br>
</div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">4. </span>tl =
get_expired_dlgs( ticks );</font></div>
<div><br>
</div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">5. </span>while (tl) {</font></div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">6. </span>ctl = tl;</font></div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">7. </span>tl = tl->next;</font></div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">8. </span>ctl->next = NULL;</font></div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">9. </span>LM_DBG("tl=%p
next=%p\n", ctl, tl);</font></div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">10. </span>timer_hdl( ctl );</font></div>
<div><font face="courier new, monospace"><span style="white-space:pre-wrap">11. </span>}</font></div>
<div><font face="courier new, monospace">12. }</font></div>
<div><br>
</div>
<div>I would imagine we should look at incrementing
ref for every dlg that goes into the tl. Then unref when
removed or when fired.... (but at quick glance it looks like
there could be a few locking issues with this solution)</div>
</div>
</div>
</blockquote></div></div>
iirc, there was a counter inc for keeping the structure in the timer
list and dec for removing it, isn't like that?<br>
<br>
Cheers,<br>
Daniel<span class="HOEnZb"><font color="#888888"><br>
<pre cols="72">--
Daniel-Constantin Mierla - <a href="http://www.asipto.com" target="_blank">http://www.asipto.com</a>
<a href="http://twitter.com/#!/miconda" target="_blank">http://twitter.com/#!/miconda</a> - <a href="http://www.linkedin.com/in/miconda" target="_blank">http://www.linkedin.com/in/miconda</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
sr-dev mailing list<br>
<a href="mailto:sr-dev@lists.sip-router.org">sr-dev@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a><br>
<br></blockquote></div><br></div>