Segmentation fault upon TURN packet

[sduthil]

Describe the bug

When using TURN, most calls are handled correctly, then the program stops with a segmentation fault at random intervals of a few days or weeks.

Steps to reproduce

Unknown

PJSIP version

2.13.1

Context

• Debian 11 Bullseye
• PJSIP 2.13.1 bundled with Asterisk 20.4.0
• Asterisk configured with turnaddr=some-turnserver in rtp.conf
• About 200 calls per day

This is my first issue on PJSIP, apologies for missing details. I have access to the coredump of the Asterisk process running PJSIP, so I can provide additional info if needed.

Log, call stack, etc

Thread 1 (Thread 0x7f630f057700 (LWP 1555226)):
#0  0x00007f639d5dd822 in pj_turn_session_on_rx_pkt2 (sess=0x0, prm=prm@entry=0x7f630f056ac0) at ../src/pjnath/turn_session.c:1277
        is_stun = <optimized out>
        status = <optimized out>
        is_datagram = <optimized out>
#1  0x00007f639d5dda1e in pj_turn_session_on_rx_pkt (sess=<optimized out>, pkt=pkt@entry=0x7f63880dbee8, pkt_len=pkt_len@entry=244, parsed_len=parsed_len@entry=0x7f630f056b10) at ../src/pjnath/turn_session.c:1254
        prm = {pkt = 0x7f63880dbee8, pkt_len = 244, parsed_len = 0, src_addr = 0x0, src_addr_len = 0}
        status = <optimized out>
#2  0x00007f639d5df37e in on_data_read (remainder=0x7f630f056b70, status=<optimized out>, size=244, data=0x7f63880dbee8, turn_sock=0x7f63905c8768) at ../src/pjnath/turn_sock.c:889
        parsed_len = 244
        pkt_len = 132
        ret = 1
        ret = <optimized out>
        on_return = <optimized out>
        pkt_len = <optimized out>
        parsed_len = <optimized out>
#3  on_data_read_asock (asock=<optimized out>, data=0x7f63880dbee8, size=<optimized out>, status=<optimized out>, remainder=0x7f630f056b70) at ../src/pjnath/turn_sock.c:936
        turn_sock = 0x7f63905c8768
#4  0x00007f639d6305dd in ioqueue_on_read_complete (key=0x7f6328782388, op_key=0x7f63880dcaa0, bytes_read=<optimized out>) at ../src/pj/activesock.c:503
        remainder = 244
        ret = 1
        flags = <optimized out>
        asock = 0x7f63905c9798
        r = 0x7f63880dcaa0
        loop = 0
        status = <optimized out>
#5  0x00007f639d62a899 in ioqueue_dispatch_read_event (h=0x7f6328782388, ioqueue=0x7f6328976948) at ../src/pj/ioqueue_common_abs.c:609
        read_op = 0x7f63880dcaa0
        bytes_read = 332
        has_lock = 1
        rc = <optimized out>
        rc = <optimized out>
        accept_op = <optimized out>
        has_lock = <optimized out>
        read_op = <optimized out>
        bytes_read = <optimized out>
        has_lock = <optimized out>
#6  ioqueue_dispatch_read_event (ioqueue=0x7f6328976948, h=0x7f6328782388) at ../src/pj/ioqueue_common_abs.c:437
        rc = <optimized out>
        accept_op = <optimized out>
        has_lock = <optimized out>
        read_op = <optimized out>
        bytes_read = <optimized out>
        has_lock = <optimized out>
#7  0x00007f639d62c4fb in pj_ioqueue_poll (ioqueue=0x7f6328976948, timeout=timeout@entry=0x7f630f056e40) at ../src/pj/ioqueue_epoll.c:1001
        event_done = 0
        i = 0
        count = <optimized out>
        event_cnt = 1
        processed_cnt = 0
        msec = <optimized out>
        MAX_EVENTS = MAX_EVENTS
        events = {{events = 1, data = {ptr = 0x7f6328782388, fd = 678962056, u32 = 678962056, u64 = 140063857451912}}, {events = 1872904088, data = {ptr = 0x7f63900e0ba8, fd = -1878127704, u32 = 2416839592, u64 = 140065595329448}}, {events = 2640500237, data = {ptr = 0xf056c6800007f63, fd = 32611, u32 = 32611, u64 = 1082390479384903523}}, {events = 32611, data = {ptr = 0x7f639d62d89b <pj_mutex_unlock+27>, fd = -1654466405,
 u32 = 2640500891, u64 = 140065818990747}}, {events = 2416839432, data = {ptr = 0x9d62daa600007f63, fd = 32611, u32 = 32611, u64 = 11340867218171789155}}, {events = 32611, data = {ptr = 0x7f63900e0b08, fd = -18781
27864, u32 = 2416839432, u64 = 140065595329288}}, {events = 681816008, data = {ptr = 0x9063cae000007f63, fd = 32611, u32 = 32611, u64 = 10404382627577495395}}, {events = 32611, data = {ptr = 0x7f639d62d89b <pj_mutex_unlock+27>, fd = -1654466405, u32 = 2640500891, u64 = 140065818990747}}, {events = 2416839432, data = {ptr = 0x9d644f6700007f63, fd = 32611, u32 = 32611, u64 = 11341277065426009955}}, {events = 32611, data = {p
tr = 0x7f63900e0ba8, fd = -1878127704, u32 = 2416839592, u64 = 140065595329448}}, {events = 2281817800, data = {ptr = 0x2d4e5f00007f63, fd = 32611, u32 = 32611, u64 = 12752543880871779}}, {events = 0, data = {ptr
= 0xf9, fd = 249, u32 = 249, u64 = 249}}, {events = 2416839512, data = {ptr = 0xfc70430000007f63, fd = 32611, u32 = 32611, u64 = 18190112562228526947}}, {events = 1872904088, data = {ptr = 0x7f630f056d50, fd = 252013904, u32 = 252013904, u64 = 140063430503760}}, {events = 2422458888, data = {ptr = 0x7f63, fd = 32611, u32 = 32611, u64 = 32611}}, {events = 0, data = {ptr = 0x1, fd = 1, u32 = 1, u64 = 1}}}
        queue = {{key = 0x7f6328782388, event_type = READABLE_EVENT}, {key = 0x7ffdf64dd95a <clock_gettime+90>, event_type = (unknown: 0xf056d98)}, {key = 0x7f630f056d60, event_type = NO_EVENT}, {key = 0x7f630f056
f80, event_type = (unknown: 0x78002e70)}, {key = 0x1, event_type = (READABLE_EVENT | unknown: 0x9cb16080)}, {key = 0x7f6390554258, event_type = (READABLE_EVENT | unknown: 0x9d62f620)}, {key = 0x7f6328976ec0, event_type = (unknown: 0x306d6c78)}, {key = 0x3b9aca00, event_type = (unknown: 0xfc704300)}, {key = 0x7f63900e0ba8, event_type = (unknown: 0xf056de0)}, {key = 0x7f630f056d98, event_type = (READABLE_EVENT | EXCEPTION_EV
ENT | unknown: 0x9d62f6a0)}, {key = 0x7f63900e0b08, event_type = (READABLE_EVENT | WRITEABLE_EVENT | unknown: 0xd5738d60)}, {key = 0x0, event_type = (unknown: 0xfc704300)}, {key = 0x7f6328c4bea0, event_type = (REA
DABLE_EVENT | WRITEABLE_EVENT | unknown: 0x9d62d898)}, {key = 0x7f6328a3afc8, event_type = (EXCEPTION_EVENT | unknown: 0x9d6452f0)}, {key = 0x7f630f056de0, event_type = (unknown: 0x9063cae0)}, {key = 0x2d4e52, event_type = (READABLE_EVENT | WRITEABLE_EVENT | unknown: 0x130)}}
        t1 = {u32 = {lo = 3581120598, hi = 691313}, u64 = 2969170307420246}
        t2 = {u32 = {lo = 3586783275, hi = 691313}, u64 = 2969170313082923}
#8  0x00007f63988f56b5 in ioqueue_worker_thread (data=0x7f6328c4bea0) at res_rtp_asterisk.c:1521
        delay = {sec = 0, msec = 10}
        ioqueue = 0x7f6328c4bea0
#9  0x00007f639d62d952 in thread_main (param=0x7f6328976ec0) at ../src/pj/os_core_unix.c:685
        rec = <optimized out>
        result = <optimized out>
        rc = <optimized out>
#10 0x00007f639d1c3ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
        ret = <optimized out>
        pd = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140063430506240, 1098075915369657985, 140063603889870, 140063603889871, 140063430504320, 140065191767664, -1010151908485810559, -1010464370056022399}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#11 0x00007f639cb4fa2f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[trengginas]

It would be helpful if the stack trace contains more information. You can specify these flags to build the library with debug information:

export CFLAGS += -g -O0
export LDFLAGS += -g -O0

And build the library.

[sauwming]

I have created a patch in #3730. Please let us know if the issue still persists.