Bug#901244: [Linphone-developers] linphone crash on every incoming call

Pali Rohár pali.rohar at gmail.com
Tue Jul 10 14:09:39 BST 2018 

That is a version available in current Debian Stretch stable release.
Therefore I reported it.

On Saturday 07 July 2018 09:27:47 Russell Treleaven wrote:
> That version of linphone is ancient.
> please see http://linphone.org/technical-corner/linphone/downloads
> 
> On Sun, Jun 10, 2018 at 10:40 AM, Pali Rohár <pali.rohar at gmail.com> wrote:
> 
> > Package: linphone
> > Version: 3.6.1-3
> > Severity: important
> >
> > Dear maintainer, linphone always crashes when there is incoming call.
> > Basically it makes it unusable. I'm CCing also linphone developers.
> >
> > The most important for crash is stacktrace. So here is output from gdb:
> >
> > Thread 1 "linphone" received signal SIGSEGV, Segmentation fault.
> > linphone_core_update_upnp_from_remote_media_description (call=call at entry=0x555555abea90,
> > md=0x0) at upnp.c:684
> > 684             for (i = 0; i < md->n_total_streams; i++) {
> >
> > (gdb) print md
> > $1 = (const SalMediaDescription *) 0x0
> >
> > (gdb) bt
> > #0  linphone_core_update_upnp_from_remote_media_description
> > (call=call at entry=0x555555abea90, md=0x0) at upnp.c:684
> > #1  0x00007ffff7bb3b29 in linphone_call_new_incoming (lc=lc at entry=0x5555558a4410,
> > from=from at entry=0x555555abe9d0, to=to at entry=0x555555abea30, op=op at entry=0x555555aa6f20)
> > at linphonecall.c:571
> > #2  0x00007ffff7ba6331 in call_received (h=0x555555aa6f20) at
> > callbacks.c:256
> > #3  0x00007ffff7ba0763 in inc_new_call (ev=0x7fffa0003e70,
> > sal=0x555555990bc0) at sal_eXosip2.c:1435
> > #4  process_event (ev=0x7fffa0003e70, sal=0x555555990bc0) at
> > sal_eXosip2.c:2779
> > #5  sal_iterate (sal=0x555555990bc0) at sal_eXosip2.c:2907
> > #6  0x00007ffff7b95783 in linphone_core_iterate (lc=0x5555558a4410) at
> > linphonecore.c:2107
> > #7  0x000055555556c290 in ?? ()
> > #8  0x00007fffef5b6123 in ?? () from /lib/x86_64-linux-gnu/libglib-
> > 2.0.so.0
> > #9  0x00007fffef5b56aa in g_main_context_dispatch () from
> > /lib/x86_64-linux-gnu/libglib-2.0.so.0
> > #10 0x00007fffef5b5a60 in ?? () from /lib/x86_64-linux-gnu/libglib-
> > 2.0.so.0
> > #11 0x00007fffef5b5d82 in g_main_loop_run () from
> > /lib/x86_64-linux-gnu/libglib-2.0.so.0
> > #12 0x00007ffff76503b7 in gtk_main () from /usr/lib/x86_64-linux-gnu/
> > libgtk-x11-2.0.so.0
> > #13 0x0000555555569cfc in main ()
> >
> > So linphone is trying to do NULL pointer dereference on line 684 which
> > makes instant segfault.
> >
> > Looking at the problematic libphonecall.c file and function
> > linphone_call_new_incoming()... and there is really a logical error.
> >
> >         md=sal_call_get_remote_media_description(op);
> >         ...
> >         if (md) {
> >                 ...
> >                 call->params.has_video &= linphone_core_media_
> > description_contains_video_stream(md);
> >         }
> >         ...
> >         linphone_core_update_ice_from_remote_media_description(call,
> > sal_call_get_remote_media_description(op));
> >         ...
> >         if (linphone_core_update_upnp_from_remote_media_description(call,
> > sal_call_get_remote_media_description(op))<0) {
> >
> > First there is call to the sal_call_get_remote_media_description()
> > function and then return value is checked for NULL.
> >
> > Later there is again call for sal_call_get_remote_media_description()
> > but return value is not check and it is passed to functions
> > linphone_core_update_ice_from_remote_media_description() and
> > linphone_core_update_upnp_from_remote_media_description().
> >
> > And functions linphone_core_update_upnp_from_remote_media_description()
> > and linphone_core_update_ice_from_remote_media_description() then
> > dereference md argument without doing any check for NULL.
> >
> >         for (i = 0; i < md->n_total_streams; i++) {
> >
> >         if ((md->ice_pwd[0] != '\0') && (md->ice_ufrag[0] != '\0')) {
> >
> > So check for NULL pointer needs to be done to fix this problem.
> > Otherwise whole linphone application is unusable as it is not possible
> > to receive any call.
> >
> > --
> > Pali Rohár
> > pali.rohar at gmail.com
> >
> > _______________________________________________
> > Linphone-developers mailing list
> > Linphone-developers at nongnu.org
> > https://lists.nongnu.org/mailman/listinfo/linphone-developers
> >
> >
> 
> 

-- 
Pali Rohár
pali.rohar at gmail.com

More information about the Pkg-voip-maintainers mailing list