Hangup inside a DTMF callback causes assertion

[R-Jeske]

Describe the bug

When i try to hangup a call inside a DTMF callback, the application crashes with an assertion in debug build and Segfault in release build.

Steps to reproduce

add hangup in DTMF callback e.g. in PJSua App

static void call_on_dtmf_callback2(pjsua_call_id call_id, 
                                   const pjsua_dtmf_info *info)
{    
    char duration[16];
    char method[16];

    duration[0] = '\0';

    switch (info->method) {
    case PJSUA_DTMF_METHOD_RFC2833:
        pj_ansi_snprintf(method, sizeof(method), "RFC2833");
        break;
    case PJSUA_DTMF_METHOD_SIP_INFO:
        pj_ansi_snprintf(method, sizeof(method), "SIP INFO");
        pj_ansi_snprintf(duration, sizeof(duration), ":duration(%d)", 
                         info->duration);
        break;
    };    
    PJ_LOG(3,(THIS_FILE, "Incoming DTMF on call %d: %c%s, using %s method", 
           call_id, info->digit, duration, method));
+
+   pjsua_call_hangup(call_id, PJSIP_SC_GONE, NULL, NULL);
}

Scenario:

• A calls B
• B accepts call
• A sends DTMF
• B hangs up call in DTMF callback
• B cashes after return of call_on_dtmf_callback2

PJSIP version

2.14.1

Context

Appears on all tested platforms:

• Linux x86_64, ARM, ARM64
• Win32

seems to be caused by destruction of transaction in pjmedia/src/transport_udp.c caused by pjsua_call_hangup():

static void on_rx_rtp(pj_ioqueue_key_t *key,
                      pj_ioqueue_op_key_t *op_key,
                      pj_ssize_t bytes_read)
...
        //if (!discard && udp->attached && cb)
        if (!discard && 
            (-bytes_read != PJ_STATUS_FROM_OS(PJ_BLOCKING_ERROR_VAL))) 
        {
              TRACE_(("on_rx_rtp()","on_rx_rtp() 1d"));
            call_rtp_cb(udp, bytes_read, &rem_switch);  // <<< hangup is called in this callback
                TRACE_(("on_rx_rtp()","on_rx_rtp() 1e"));
        }

but afterwards following code is called without check, if it even exists anymore:

        status = pj_ioqueue_recvfrom(udp->rtp_key, &udp->rtp_read_op,
                                        udp->rtp_pkt, &bytes_read, 0,
                                        &udp->rtp_src_addr,
                                        &udp->rtp_addrlen);

Log, call stack, etc

09:34:57.480            pjsua_app.c  .Incoming DTMF on call 0: 5, using RFC2833 method
09:34:57.480           pjsua_call.c  .Call 0 hanging up: code=410..
09:34:57.480          pjsua_media.c  ..Call 0: deinitializing media..
09:34:57.480          pjsua_media.c  ...
  [CONFIRMED] To: sip:[email protected];tag=as4e224b8e
    Call time: 00h:00m:03s, 1st res in 254 ms, conn in 2335ms
    #0 audio PCMA @8kHz, sendrecv, peer=192.168.13.137:15274
       EC stat: Echo suppressor learning in progress at t=006.000s, tail=110 ms,
          factor min/avg=0.000/0.000
       SRTP status: Not active Crypto-suite: 
       RX pt=8, last update:00h:00m:03.360s ago
          total 179pkt 28.6KB (35.8KB +IP hdr) @avg=63.6Kbps/79.6Kbps
          pkt loss=0 (0.0%), discrd=0 (0.0%), dup=0 (0.0%), reord=0 (0.0%)
                (msec)    min     avg     max     last    dev
          loss period:   0.000   0.000   0.000   0.000   0.000
          jitter     :   0.000   0.158   0.250   0.125   0.074
       TX pt=8, ptime=20, last update:never
          total 32pkt 5.1KB (6.4KB +IP hdr) @avg=11.3Kbps/14.2Kbps
          pkt loss=0 (0.0%), dup=0 (0.0%), reorder=0 (0.0%)
                (msec)    min     avg     max     last    dev 
          loss period:   0.000   0.000   0.000   0.000   0.000
          jitter     :   0.000   0.000   0.000   0.000   0.000
       RTT msec      :   0.000   0.000   0.000   0.000   0.000
09:34:57.480      udp0x55a6985cae40  ....detach(): before locking keys
09:34:57.480      udp0x55a6985cae40  ....detach(): inside locked keys
09:34:57.480      udp0x55a6985cae40  ....UDP media transport detached
09:34:57.481          pjsua_media.c  ....Media stream call00:0 is destroyed
09:34:57.481     srtp0x55a6985c61d0  ...Destroying SRTP transport
09:34:57.481      udp0x55a6985cae40  ...UDP media transport destroyed
09:34:57.481            pjsua_app.c  ..Call 0 is DISCONNECTED [reason=410 (Gone)]
09:34:57.481           pjsua_core.c  .....TX 437 bytes Request msg BYE/cseq=32380 (tdta0x7ff6dc004178) to TCP 192.168.13.137:5060:
BYE sip:[email protected]:5060;transport=TCP SIP/2.0
Via: SIP/2.0/TCP 192.168.13.248:41507;rport;branch=z9hG4bKPj0db3ef86-d365-4ab5-8f76-384e51a347d8;alias
Max-Forwards: 70
From: sip:[email protected];tag=e829f21b-4067-4f45-ac2f-f9e912bf44b3
To: sip:[email protected];tag=as4e224b8e
Call-ID: 42f8efdc-97f3-4d08-99eb-225a89d50ae1
CSeq: 32380 BYE
User-Agent: PJSUA v2.14.1 Linux-6.5.13.7/x86_64/glibc-2.39
Content-Length:  0


--end msg--
pjsua-x86_64-pc-linux-gnu: ../src/pj/ioqueue_common_abs.c:791: pj_ioqueue_recvfrom: Assertion `key && op_key && buffer && length' failed.
Error: signal 6:
./pjsua-x86_64-pc-linux-gnu(+0x10137)[0x55a697604137]
/usr/lib/libc.so.6(+0x40770)[0x7ff6eb1d8770]
/usr/lib/libc.so.6(+0x9132c)[0x7ff6eb22932c]
/usr/lib/libc.so.6(gsignal+0x18)[0x7ff6eb1d86c8]
/usr/lib/libc.so.6(abort+0xd7)[0x7ff6eb1c04b8]
/usr/lib/libc.so.6(+0x283dc)[0x7ff6eb1c03dc]
/usr/lib/libc.so.6(+0x38d46)[0x7ff6eb1d0d46]
./pjsua-x86_64-pc-linux-gnu(+0x1ba391)[0x55a6977ae391]
./pjsua-x86_64-pc-linux-gnu(+0x1271e0)[0x55a69771b1e0]
./pjsua-x86_64-pc-linux-gnu(+0x1b9e77)[0x55a6977ade77]
./pjsua-x86_64-pc-linux-gnu(+0x1bd1cc)[0x55a6977b11cc]
./pjsua-x86_64-pc-linux-gnu(+0xf0ea6)[0x55a6976e4ea6]
./pjsua-x86_64-pc-linux-gnu(+0x1bec8b)[0x55a6977b2c8b]
/usr/lib/libc.so.6(+0x8f55a)[0x7ff6eb22755a]
/usr/lib/libc.so.6(+0x10ca3c)[0x7ff6eb2a4a3c]