summaryrefslogtreecommitdiffstats
path: root/src/app.c
AgeCommit message (Collapse)AuthorFilesLines
2017-03-06mncc: Fix use after free on mncc socket disconnectionHolger Hans Peter Freyther1-5/+12
When the MNCC socket breaks down we would release all callds but when there is no remote call the call would be released before if (call->remote) ... is being executed leading to a use after free. Fix it by copying the legs first and assuming the call will be gone after that. ==3618== Invalid read of size 4 ==3618== at 0x804A18A: app_mncc_disconnected (app.c:49) ==3618== by 0x804B52D: close_connection (mncc.c:255) ==3618== by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145) ==3618== by 0x804CC86: check_setup (mncc.c:435) ==3618== by 0x804CC86: mncc_data (mncc.c:795) ==3618== by 0x42FCF94: osmo_fd_disp_fds (select.c:167) ==3618== by 0x804D1F2: evpoll (evpoll.c:92) ==3618== by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1) ==3618== by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1) ==3618== by 0x8049AA6: main (main.c:171) ==3618== Address 0x47f3258 is 64 bytes inside a block of size 76 free'd ==3618== at 0x402A3A8: free (vg_replace_malloc.c:473) ==3618== by 0x42E7FD1: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.5) ==3618== by 0x804A3FD: call_leg_release (call.c:87) ==3618== by 0x804A186: app_mncc_disconnected (app.c:48) ==3618== by 0x804B52D: close_connection (mncc.c:255) ==3618== by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145) ==3618== by 0x804CC86: check_setup (mncc.c:435) ==3618== by 0x804CC86: mncc_data (mncc.c:795) ==3618== by 0x42FCF94: osmo_fd_disp_fds (select.c:167) ==3618== by 0x804D1F2: evpoll (evpoll.c:92) ==3618== by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1) ==3618== by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1) ==3618== by 0x8049AA6: main (main.c:171) ==3618== Change-Id: I1889013ed315f896e4295358f6daf76ce523dc2a
2017-03-06call: Fix call release handling on mncc connection lossHolger Hans Peter Freyther1-2/+2
The app_mncc_disconnected will be called when the MNCC socket is down and lead to all calls being released. It directly released the call but did not stop the MNCC CMD timer. Go through the call release callback. ==3618== at 0x804A18A: app_mncc_disconnected (app.c:49) ==3618== by 0x804B52D: close_connection (mncc.c:255) This lead to the timer not being removed: ==3593== Invalid read of size 4 ==3593== at 0x4305D42: rb_first (rbtree.c:294) ==3593== by 0x42FCB37: osmo_timers_update (timer.c:220) ==3593== by 0x804D1D5: evpoll (evpoll.c:89) ==3593== by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1) ==3593== by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1) ==3593== by 0x8049AA6: main (main.c:171) ==3593== Address 0x47f3380 is 232 bytes inside a block of size 272 free'd ==3593== at 0x402A3A8: free (vg_replace_malloc.c:473) ==3593== by 0x42E7FD1: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.5) ==3593== by 0x804A3C4: call_leg_release (call.c:83) ==3593== by 0x804A188: app_mncc_disconnected (app.c:48) ==3593== by 0x804B52D: close_connection (mncc.c:255) ==3593== by 0x804BCFA: mncc_rtp_send.constprop.13 (mncc.c:145) ==3593== by 0x804CC86: check_setup (mncc.c:435) ==3593== by 0x804CC86: mncc_data (mncc.c:795) ==3593== by 0x42FCF94: osmo_fd_disp_fds (select.c:167) ==3593== by 0x804D1F2: evpoll (evpoll.c:92) ==3593== by 0x4205053: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1) ==3593== by 0x4205478: g_main_loop_run (in /lib/i386-linux-gnu/libglib-2.0.so.0.4200.1) ==3593== by 0x8049AA6: main (main.c:171) Change-Id: I2e8e14b3983f84c9be046bbd96bbcd1e5766993e
2016-04-04sip/call/mncc: Move source/dest into the call structureHolger Hans Peter Freyther1-7/+17
In preparation of a better show calls VTY command it is of interest to know which number has been dialed by whom. For that store the source/dest in there. MNCC: Change the talloc root context to the call and don't try to free the strings after calling the routing code SIP: Use talloc_strdup to duplicate them. Call: Add null check because the talloc_strdup of the SIP layer could have failed.
2016-03-31coverity: Address two issues found by coverityHolger Hans Peter Freyther1-2/+4
Add NULL check in the case of MNCC disconnect that was missing and add an assert to show that at this point the other leg must exist. Fixes: CID#80799, CID#80800, 80801
2016-03-27mncc: Begin to implement MT call handling for SIP->MNCCHolger Hans Peter Freyther1-5/+9
Initiate the setup request that should result in the call getting all the way to the connected state at some point in time. The device I test with sadly rejects the call too soon.
2016-03-26sip/app: Route call from SIP to MNCC and deal with the releaseHolger Hans Peter Freyther1-1/+1
Fix releasing of the leg in case it is not routable and make the differentation if we initiated the invite (send CANCEL) or send a final error. The error code was randomly picked and once we have an enum of causes we can decide where to map it to.
2016-03-26app: Translate payload name to IETF codec nameHolger Hans Peter Freyther1-0/+16
Convert the MNCC codec type to the IETF codec name.
2016-03-26app: Ask the sip side to create a legHolger Hans Peter Freyther1-2/+2
Create SIP leg and if it is failing release the call
2016-03-26app: Release the call by releasing the initial requestHolger Hans Peter Freyther1-1/+1
This will then go through the release procedure of the relevant call instead of letting it timeout on the initial leg.
2016-03-23call: Continue up to the point of call routingHolger Hans Peter Freyther1-0/+17
We accept the call on MNCC and ask the core to select/create the second leg of the call.
2016-03-22call: Add a backpointer from leg to call and drop the argumentHolger Hans Peter Freyther1-2/+2
Simplify the structure by either working with a call or just a leg of it. No need to carry both pointers all the time.
2016-03-22call/app: Hook the MNCC disconnect event in the app and release callsHolger Hans Peter Freyther1-0/+57
In case the MNCC server is crashing we need to release all calls, use the event emitted by the MNCC connection and iterate over all calls and call the release function.