<div dir="ltr">Good work.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 10, 2018 at 9:09 AM, Pali Rohár <span dir="ltr"><<a href="mailto:pali.rohar@gmail.com" target="_blank">pali.rohar@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">That is a version available in current Debian Stretch stable release.<br>
Therefore I reported it.<br>
<div class="HOEnZb"><div class="h5"><br>
On Saturday 07 July 2018 09:27:47 Russell Treleaven wrote:<br>
> That version of linphone is ancient.<br>
> please see <a href="http://linphone.org/technical-corner/linphone/downloads" rel="noreferrer" target="_blank">http://linphone.org/technical-<wbr>corner/linphone/downloads</a><br>
> <br>
> On Sun, Jun 10, 2018 at 10:40 AM, Pali Rohár <<a href="mailto:pali.rohar@gmail.com">pali.rohar@gmail.com</a>> wrote:<br>
> <br>
> > Package: linphone<br>
> > Version: 3.6.1-3<br>
> > Severity: important<br>
> ><br>
> > Dear maintainer, linphone always crashes when there is incoming call.<br>
> > Basically it makes it unusable. I'm CCing also linphone developers.<br>
> ><br>
> > The most important for crash is stacktrace. So here is output from gdb:<br>
> ><br>
> > Thread 1 "linphone" received signal SIGSEGV, Segmentation fault.<br>
> > linphone_core_update_upnp_<wbr>from_remote_media_description (call=call@entry=<wbr>0x555555abea90,<br>
> > md=0x0) at upnp.c:684<br>
> > 684 for (i = 0; i < md->n_total_streams; i++) {<br>
> ><br>
> > (gdb) print md<br>
> > $1 = (const SalMediaDescription *) 0x0<br>
> ><br>
> > (gdb) bt<br>
> > #0 linphone_core_update_upnp_<wbr>from_remote_media_description<br>
> > (call=call@entry=<wbr>0x555555abea90, md=0x0) at upnp.c:684<br>
> > #1 0x00007ffff7bb3b29 in linphone_call_new_incoming (lc=lc@entry=0x5555558a4410,<br>
> > from=from@entry=<wbr>0x555555abe9d0, to=to@entry=0x555555abea30, op=op@entry=0x555555aa6f20)<br>
> > at linphonecall.c:571<br>
> > #2 0x00007ffff7ba6331 in call_received (h=0x555555aa6f20) at<br>
> > callbacks.c:256<br>
> > #3 0x00007ffff7ba0763 in inc_new_call (ev=0x7fffa0003e70,<br>
> > sal=0x555555990bc0) at sal_eXosip2.c:1435<br>
> > #4 process_event (ev=0x7fffa0003e70, sal=0x555555990bc0) at<br>
> > sal_eXosip2.c:2779<br>
> > #5 sal_iterate (sal=0x555555990bc0) at sal_eXosip2.c:2907<br>
> > #6 0x00007ffff7b95783 in linphone_core_iterate (lc=0x5555558a4410) at<br>
> > linphonecore.c:2107<br>
> > #7 0x000055555556c290 in ?? ()<br>
> > #8 0x00007fffef5b6123 in ?? () from /lib/x86_64-linux-gnu/libglib-<br>
> > 2.0.so.0<br>
> > #9 0x00007fffef5b56aa in g_main_context_dispatch () from<br>
> > /lib/x86_64-linux-gnu/libglib-<wbr>2.0.so.0<br>
> > #10 0x00007fffef5b5a60 in ?? () from /lib/x86_64-linux-gnu/libglib-<br>
> > 2.0.so.0<br>
> > #11 0x00007fffef5b5d82 in g_main_loop_run () from<br>
> > /lib/x86_64-linux-gnu/libglib-<wbr>2.0.so.0<br>
> > #12 0x00007ffff76503b7 in gtk_main () from /usr/lib/x86_64-linux-gnu/<br>
> > libgtk-x11-2.0.so.0<br>
> > #13 0x0000555555569cfc in main ()<br>
> ><br>
> > So linphone is trying to do NULL pointer dereference on line 684 which<br>
> > makes instant segfault.<br>
> ><br>
> > Looking at the problematic libphonecall.c file and function<br>
> > linphone_call_new_incoming()..<wbr>. and there is really a logical error.<br>
> ><br>
> > md=sal_call_get_remote_media_<wbr>description(op);<br>
> > ...<br>
> > if (md) {<br>
> > ...<br>
> > call->params.has_video &= linphone_core_media_<br>
> > description_contains_video_<wbr>stream(md);<br>
> > }<br>
> > ...<br>
> > linphone_core_update_ice_from_<wbr>remote_media_description(call,<br>
> > sal_call_get_remote_media_<wbr>description(op));<br>
> > ...<br>
> > if (linphone_core_update_upnp_<wbr>from_remote_media_description(<wbr>call,<br>
> > sal_call_get_remote_media_<wbr>description(op))<0) {<br>
> ><br>
> > First there is call to the sal_call_get_remote_media_<wbr>description()<br>
> > function and then return value is checked for NULL.<br>
> ><br>
> > Later there is again call for sal_call_get_remote_media_<wbr>description()<br>
> > but return value is not check and it is passed to functions<br>
> > linphone_core_update_ice_from_<wbr>remote_media_description() and<br>
> > linphone_core_update_upnp_<wbr>from_remote_media_description(<wbr>).<br>
> ><br>
> > And functions linphone_core_update_upnp_<wbr>from_remote_media_description(<wbr>)<br>
> > and linphone_core_update_ice_from_<wbr>remote_media_description() then<br>
> > dereference md argument without doing any check for NULL.<br>
> ><br>
> > for (i = 0; i < md->n_total_streams; i++) {<br>
> ><br>
> > if ((md->ice_pwd[0] != '\0') && (md->ice_ufrag[0] != '\0')) {<br>
> ><br>
> > So check for NULL pointer needs to be done to fix this problem.<br>
> > Otherwise whole linphone application is unusable as it is not possible<br>
> > to receive any call.<br>
> ><br>
> > --<br>
> > Pali Rohár<br>
> > <a href="mailto:pali.rohar@gmail.com">pali.rohar@gmail.com</a><br>
> ><br>
> > ______________________________<wbr>_________________<br>
> > Linphone-developers mailing list<br>
> > <a href="mailto:Linphone-developers@nongnu.org">Linphone-developers@nongnu.org</a><br>
> > <a href="https://lists.nongnu.org/mailman/listinfo/linphone-developers" rel="noreferrer" target="_blank">https://lists.nongnu.org/<wbr>mailman/listinfo/linphone-<wbr>developers</a><br>
> ><br>
> ><br>
> <br>
> <br>
<br>
-- <br>
</div></div><span class="HOEnZb"><font color="#888888">Pali Rohár<br>
<a href="mailto:pali.rohar@gmail.com">pali.rohar@gmail.com</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div>Sincerely,</div><div dir="ltr"><br></div><div dir="ltr">Russell Treleaven<div><a href="mailto:sip%3Artreleaven@sip.bunnykick.ca" target="_blank">sip:rtreleaven@sip.bunnykick.ca</a></div><div><br></div></div></div></div></div>
</div>