Bug#901244: [Linphone-developers] linphone crash on every incoming call

Russell Treleaven rtreleaven at bunnykick.ca
Tue Jul 10 14:10:20 BST 2018 

Good work.

On Tue, Jul 10, 2018 at 9:09 AM, Pali Rohár <pali.rohar at gmail.com> wrote:

> That is a version available in current Debian Stretch stable release.
> Therefore I reported it.
>
> On Saturday 07 July 2018 09:27:47 Russell Treleaven wrote:
> > That version of linphone is ancient.
> > please see http://linphone.org/technical-corner/linphone/downloads
> >
> > On Sun, Jun 10, 2018 at 10:40 AM, Pali Rohár <pali.rohar at gmail.com>
> wrote:
> >
> > > Package: linphone
> > > Version: 3.6.1-3
> > > Severity: important
> > >
> > > Dear maintainer, linphone always crashes when there is incoming call.
> > > Basically it makes it unusable. I'm CCing also linphone developers.
> > >
> > > The most important for crash is stacktrace. So here is output from gdb:
> > >
> > > Thread 1 "linphone" received signal SIGSEGV, Segmentation fault.
> > > linphone_core_update_upnp_from_remote_media_description
> (call=call at entry=0x555555abea90,
> > > md=0x0) at upnp.c:684
> > > 684             for (i = 0; i < md->n_total_streams; i++) {
> > >
> > > (gdb) print md
> > > $1 = (const SalMediaDescription *) 0x0
> > >
> > > (gdb) bt
> > > #0  linphone_core_update_upnp_from_remote_media_description
> > > (call=call at entry=0x555555abea90, md=0x0) at upnp.c:684
> > > #1  0x00007ffff7bb3b29 in linphone_call_new_incoming (lc=lc at entry
> =0x5555558a4410,
> > > from=from at entry=0x555555abe9d0, to=to at entry=0x555555abea30,
> op=op at entry=0x555555aa6f20)
> > > at linphonecall.c:571
> > > #2  0x00007ffff7ba6331 in call_received (h=0x555555aa6f20) at
> > > callbacks.c:256
> > > #3  0x00007ffff7ba0763 in inc_new_call (ev=0x7fffa0003e70,
> > > sal=0x555555990bc0) at sal_eXosip2.c:1435
> > > #4  process_event (ev=0x7fffa0003e70, sal=0x555555990bc0) at
> > > sal_eXosip2.c:2779
> > > #5  sal_iterate (sal=0x555555990bc0) at sal_eXosip2.c:2907
> > > #6  0x00007ffff7b95783 in linphone_core_iterate (lc=0x5555558a4410) at
> > > linphonecore.c:2107
> > > #7  0x000055555556c290 in ?? ()
> > > #8  0x00007fffef5b6123 in ?? () from /lib/x86_64-linux-gnu/libglib-
> > > 2.0.so.0
> > > #9  0x00007fffef5b56aa in g_main_context_dispatch () from
> > > /lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > #10 0x00007fffef5b5a60 in ?? () from /lib/x86_64-linux-gnu/libglib-
> > > 2.0.so.0
> > > #11 0x00007fffef5b5d82 in g_main_loop_run () from
> > > /lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > #12 0x00007ffff76503b7 in gtk_main () from /usr/lib/x86_64-linux-gnu/
> > > libgtk-x11-2.0.so.0
> > > #13 0x0000555555569cfc in main ()
> > >
> > > So linphone is trying to do NULL pointer dereference on line 684 which
> > > makes instant segfault.
> > >
> > > Looking at the problematic libphonecall.c file and function
> > > linphone_call_new_incoming()... and there is really a logical error.
> > >
> > >         md=sal_call_get_remote_media_description(op);
> > >         ...
> > >         if (md) {
> > >                 ...
> > >                 call->params.has_video &= linphone_core_media_
> > > description_contains_video_stream(md);
> > >         }
> > >         ...
> > >         linphone_core_update_ice_from_remote_media_description(call,
> > > sal_call_get_remote_media_description(op));
> > >         ...
> > >         if (linphone_core_update_upnp_from_remote_media_description(
> call,
> > > sal_call_get_remote_media_description(op))<0) {
> > >
> > > First there is call to the sal_call_get_remote_media_description()
> > > function and then return value is checked for NULL.
> > >
> > > Later there is again call for sal_call_get_remote_media_description()
> > > but return value is not check and it is passed to functions
> > > linphone_core_update_ice_from_remote_media_description() and
> > > linphone_core_update_upnp_from_remote_media_description().
> > >
> > > And functions linphone_core_update_upnp_from_remote_media_description(
> )
> > > and linphone_core_update_ice_from_remote_media_description() then
> > > dereference md argument without doing any check for NULL.
> > >
> > >         for (i = 0; i < md->n_total_streams; i++) {
> > >
> > >         if ((md->ice_pwd[0] != '\0') && (md->ice_ufrag[0] != '\0')) {
> > >
> > > So check for NULL pointer needs to be done to fix this problem.
> > > Otherwise whole linphone application is unusable as it is not possible
> > > to receive any call.
> > >
> > > --
> > > Pali Rohár
> > > pali.rohar at gmail.com
> > >
> > > _______________________________________________
> > > Linphone-developers mailing list
> > > Linphone-developers at nongnu.org
> > > https://lists.nongnu.org/mailman/listinfo/linphone-developers
> > >
> > >
> >
> >
>
> --
> Pali Rohár
> pali.rohar at gmail.com
>



-- 
Sincerely,

Russell Treleaven
sip:rtreleaven at sip.bunnykick.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20180710/ecd44236/attachment-0001.html>

More information about the Pkg-voip-maintainers mailing list