search

meetecho / janus-gateway

Janus WebRTC Server
https://janus.conf.meetecho.com
GNU General Public License v3.0
8.15k stars 2.47k forks source link

Segfault on hand-coded refer_id on transfer message #1962

Closed magic-bear closed 4 years ago

magic-bear commented 4 years ago

Hi All,

I was tinkering with the attended transfer feature, and inadvertently found a segfault. I was able to reproduce the issue multiple times on janus 0.8.1

To reproduce, start a phone call on the master handle. Add a helper, and start a second call. Then issue:

var handle = helpers[1].sipcall
    handle.createOffer({
        media: {
            audioSend: true,
            audioRecv: true,
            videoSend: false,
            videoRecv: false
        },
        success: function(jsep) {
            Janus.debug('Got SDP!')
            Janus.debug(jsep)
            var body = {
                request: 'call',
                uri: dialstring,
                headers: {
                    'X-Outbound': 'true'
                },
               refer_id: **001110001110**
            }
            handle.send({
                message: body,
                jsep: jsep
            })
        },
        error: function(error) {
            flashMessage(JSON.stringify(error), 5000)
            Janus.log('WebRTC error...', error)
        }
    })

The number in the refer_id appears to cause segfault for any number. I just have some 1s and 0s as a placeholder.

lminiero commented 4 years ago

@magic-bear does refer_id exist when you invoke it? Can you provide a libasan dump or gdb stacktrace of the segfault? As a side note, please test on master as well, just to rule out the chance this may have been fixed.

magic-bear commented 4 years ago

refer_id does not yet exist when set - in this example, i am defining it for the first time, manually.


#1136   janus_sip_handler (data=<optimized out>) at plugins/janus_sip.c:3276
        transfer = 0x0
        ha1_secret = <optimized out>
        authuser = <optimized out>
        uri = <optimized out>
        srtp_profile = <optimized out>
        srtp = <optimized out>
        from_hdr = "sip:magicbear@testing.com", '\000' <repeats 992 times>
        aar = <optimized out>
        sdperror = "3600\000joubert\000\060\060", '\000' <repeats 84 times>
        sdp = <optimized out>
        request_callid = <optimized out>
        referred_by = 0x0
        msg_simulcast = <optimized out>
        require_srtp = <optimized out>
        target_uri = {data = "sip\000\061\062\060\064\062\062\065\071\071\071\071\000testing.com", '\000' <repeats 983 times>, url = {{
              url_pad = "\000\000\000\000\000", url_type = 1 '\001', url_root = 0 '\000', url_scheme = 0x7f4a85ce5210 "sip", url_user = 0x7f4a85ce5214 "12042259999", 
              url_password = 0x0, url_host = 0x7f4a85ce5220 "testing.com", url_port = 0x0, url_path = 0x0, url_params = 0x0, url_headers = 0x0, url_fragment = 0x0}}}
        msg_sdp_type = <optimized out>
        callid = 0x7f4a700067e0 "4YRqSesBJ5DNNKlPXKOIhNV"
        secret = <optimized out>
        offer_srtp = <optimized out>
        uri_text = <optimized out>
        custom_headers = "X-Outbound: true\r\n", '\000' <repeats 1870 times>...
        msg_sdp = <optimized out>
        parsed_sdp = <optimized out>
        refer_id = 153092680
        session = 0x7f4a7c007730
        request = <optimized out>
        request_text = <optimized out>
        result = 0x0
        __FUNCTION__ = "janus_sip_handler"
        msg = 0x7f4a5c01acc0
        error_code = 0
        error_cause = "Wrong state (not in a call?)", '\000' <repeats 483 times>
        root = <optimized out>
#1  0x00007f4a8ba00415 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
No symbol table info available.
#2  0x00007f4a8af8efa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139958049208064, 7147267784192413170, 140722614460942, 140722614460943, 139958049208064, 0, -7087195000447840782, 
                -7087214598491484686}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#3  0x00007f4a8aebf4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.```

Another post to follow with master.. just building it.
tmatth commented 4 years ago

I think I have a fix.

magic-bear commented 4 years ago

ok cool - i have a master trace as well:

Here is the gdb from master:

Thread 5 "sip handler" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f4a3a02a700 (LWP 31195)]
0x00007f4a3a3ecd74 in janus_sip_handler (data=<optimized out>) at plugins/janus_sip.c:3295
3295    plugins/janus_sip.c: No such file or directory.
(gdb) backtrace full
#0  0x00007f4a3a3ecd74 in janus_sip_handler (data=<optimized out>) at plugins/janus_sip.c:3295
        transfer = 0x0
        ha1_secret = <optimized out>
        authuser = <optimized out>
        uri = <optimized out>
        srtp_profile = <optimized out>
        srtp = <optimized out>
        from_hdr = "sip:mbear@hr.example.com", '\000' <repeats 992 times>
        aar = <optimized out>
        sdperror = "3600\000bear", '\000' <repeats 87 times>
        sdp = <optimized out>
        request_callid = <optimized out>
        referred_by = 0x0
        msg_simulcast = <optimized out>
        require_srtp = <optimized out>
        target_uri = {data = "sip\000\061\062\060\064\062\062\065\071\071\071\071\000internal.example.com", '\000' <repeats 983 times>, url = {{
              url_pad = "\000\000\000\000\000", url_type = 1 '\001', url_root = 0 '\000', url_scheme = 0x7f4a3a028210 "sip", url_user = 0x7f4a3a028214 "12042259999", 
              url_password = 0x0, url_host = 0x7f4a3a028220 "internal.example.com", url_port = 0x0, url_path = 0x0, url_params = 0x0, url_headers = 0x0, url_fragment = 0x0}}}
        msg_sdp_type = <optimized out>
        callid = 0x7f4a240069a0 "4YRqSesBJ5DNNKlPXKOIhNV"
        secret = <optimized out>
        offer_srtp = <optimized out>
        uri_text = <optimized out>
        custom_headers = "X-Outbound: true\r\n", '\000' <repeats 1870 times>...
        msg_sdp = <optimized out>
        parsed_sdp = <optimized out>
        refer_id = 153092680
        session = 0x7f4a30007e60
        request = <optimized out>
        request_text = <optimized out>
        result = 0x0
        __FUNCTION__ = "janus_sip_handler"
        msg = <optimized out>
        error_code = 0
        error_cause = '\000' <repeats 511 times>
        root = <optimized out>
#1  0x00007f4a3fd46415 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
No symbol table info available.
#2  0x00007f4a3f2d4fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139956777559808, 1468820787416209790, 140723467048702, 140723467048703, 139956777559808, 0, -1515961842585364098, 
                -1515968270699259522}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#3  0x00007f4a3f2054cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
tmatth commented 4 years ago

ok cool - i have a master trace as well:

Nice, the line number matches my patch.

tmatth commented 4 years ago

@lminiero github is currently having issues (see https://www.githubstatus.com/ ) so hopefully you're able to see https://github.com/meetecho/janus-gateway/pull/1963

lminiero commented 4 years ago

refer_id does not yet exist when set - in this example, i am defining it for the first time, manually.

refer_id is something you receive from Janus, not something you set yourself. Check the description in #1815 for the specific syntax, but basically:

  1. you issue a "transfer"
  2. the transferee receives an event, which includes a refer_id Janus generated
  3. the transferee issues a "call" to the transfer target using the refer_id

I see @tmatth beat me to it (thanks for the super fast fix, Tristan!), but the cause was indeed the non-existing refer_id, which means the transfer struct we look for doesn't exist either: we had a check on it not being NULL already, but not for headers too, which is where it crashed for you.

lminiero commented 4 years ago

@lminiero github is currently having issues (see https://www.githubstatus.com/ ) so hopefully you're able to see #1963

I can, but approving your PR failed due to the same issue apparently :disappointed:

lminiero commented 4 years ago

@magic-bear this should fix your segfault, but to get transfers working, please refer to the steps I sketched in a previous message.

magic-bear commented 4 years ago

Thanks for the super fast turnaround. I totally agree I was doing the transfer incorrectly in the first place but better safe than sorry where segfaults are concerned :)

tmatth commented 4 years ago

Thanks for the super fast turnaround. I totally agree I was doing the transfer incorrectly in the first place but better safe than sorry where segfaults are concerned :)

Yeah I should've clarified that I was only fixing the crash (which is pretty obvious), not the usage.