Bug#901244: linphone crash on every incoming call

Pali Rohár pali.rohar at gmail.com
Sun Jun 10 15:40:54 BST 2018 

Package: linphone
Version: 3.6.1-3
Severity: important

Dear maintainer, linphone always crashes when there is incoming call.
Basically it makes it unusable. I'm CCing also linphone developers.

The most important for crash is stacktrace. So here is output from gdb:

Thread 1 "linphone" received signal SIGSEGV, Segmentation fault.
linphone_core_update_upnp_from_remote_media_description (call=call at entry=0x555555abea90, md=0x0) at upnp.c:684
684             for (i = 0; i < md->n_total_streams; i++) {

(gdb) print md
$1 = (const SalMediaDescription *) 0x0

(gdb) bt
#0  linphone_core_update_upnp_from_remote_media_description (call=call at entry=0x555555abea90, md=0x0) at upnp.c:684
#1  0x00007ffff7bb3b29 in linphone_call_new_incoming (lc=lc at entry=0x5555558a4410, from=from at entry=0x555555abe9d0, to=to at entry=0x555555abea30, op=op at entry=0x555555aa6f20) at linphonecall.c:571
#2  0x00007ffff7ba6331 in call_received (h=0x555555aa6f20) at callbacks.c:256
#3  0x00007ffff7ba0763 in inc_new_call (ev=0x7fffa0003e70, sal=0x555555990bc0) at sal_eXosip2.c:1435
#4  process_event (ev=0x7fffa0003e70, sal=0x555555990bc0) at sal_eXosip2.c:2779
#5  sal_iterate (sal=0x555555990bc0) at sal_eXosip2.c:2907
#6  0x00007ffff7b95783 in linphone_core_iterate (lc=0x5555558a4410) at linphonecore.c:2107
#7  0x000055555556c290 in ?? ()
#8  0x00007fffef5b6123 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#9  0x00007fffef5b56aa in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00007fffef5b5a60 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x00007fffef5b5d82 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x00007ffff76503b7 in gtk_main () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#13 0x0000555555569cfc in main ()

So linphone is trying to do NULL pointer dereference on line 684 which
makes instant segfault.

Looking at the problematic libphonecall.c file and function
linphone_call_new_incoming()... and there is really a logical error.

	md=sal_call_get_remote_media_description(op);
	...
	if (md) {
		...
		call->params.has_video &= linphone_core_media_description_contains_video_stream(md);
	}
	...
	linphone_core_update_ice_from_remote_media_description(call, sal_call_get_remote_media_description(op));
	...
	if (linphone_core_update_upnp_from_remote_media_description(call, sal_call_get_remote_media_description(op))<0) {

First there is call to the sal_call_get_remote_media_description()
function and then return value is checked for NULL.

Later there is again call for sal_call_get_remote_media_description()
but return value is not check and it is passed to functions
linphone_core_update_ice_from_remote_media_description() and
linphone_core_update_upnp_from_remote_media_description().

And functions linphone_core_update_upnp_from_remote_media_description()
and linphone_core_update_ice_from_remote_media_description() then
dereference md argument without doing any check for NULL.

	for (i = 0; i < md->n_total_streams; i++) {

	if ((md->ice_pwd[0] != '\0') && (md->ice_ufrag[0] != '\0')) {

So check for NULL pointer needs to be done to fix this problem.
Otherwise whole linphone application is unusable as it is not possible
to receive any call.

-- 
Pali Rohár
pali.rohar at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20180610/100b9836/attachment.sig>

More information about the Pkg-voip-maintainers mailing list