Fix: siprec segfault when copy delete #3632

Kicey · 2025-04-22T07:17:43Z

Summary

To fix issue #3602.
In short, the siprec unreference the dialog recorded too early. After releasing the memory of the rtp_relay_ctx in dialog, check of the dialog (by pointer) is not valid. Do failover and end the recording(copy delete) both access the dialog (access call id, rtp relay context, etc). So, I try to unreference the dialog when the recording dialog ends.

Details

The code following will unreference the dialog when the transaction end,

opensips/modules/siprec/siprec.c

Lines 320 to 321 in b17f160

    
           if (srec_tm.register_tmcb(msg, 0, TMCB_RESPONSE_OUT, tm_start_recording, 
        
           		ss, tm_src_unref_session) <= 0) {

And if the recorded dialog end before the srs respond (before siprec get the b2b notify), the srec_b2b_notify's processing of the dialog will be uncertain. So, the segment fault is likely to raise here (when invoke rtp_relay copy_delete or rebuild the invite body).

To simplify the code, I invoke the src_unref_session in the srec_logic_destroy function and use the keep_sdp flag. If this is inappropriate, please let me know.

Solution

Make siprec unref the dialog when the recording end.

Compatibility

The fix works well with 3.4.11.

Closing issues

Fix: siprec segfault when copy delete

9dcce7d

bogdan-iancu requested a review from razvancrainea April 24, 2025 11:07

bogdan-iancu assigned razvancrainea Apr 24, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix: siprec segfault when copy delete #3632

Fix: siprec segfault when copy delete #3632

Uh oh!

Kicey commented Apr 22, 2025

Uh oh!

Uh oh!

	if (srec_tm.register_tmcb(msg, 0, TMCB_RESPONSE_OUT, tm_start_recording,
	ss, tm_src_unref_session) <= 0) {

Fix: siprec segfault when copy delete #3632

Are you sure you want to change the base?

Fix: siprec segfault when copy delete #3632

Uh oh!

Conversation

Kicey commented Apr 22, 2025

Uh oh!

Uh oh!