<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style></head><body lang="DE" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span lang="EN-US">When running a long term session, libnice wants to refresh a turn connection 1min before connection lifetime ends.</span></p><p class="MsoNormal"><span lang="EN-US">I observed a crash in agent_unlock_and_emit()</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">The potential issue seems to be in conncheck.c <br>priv_turn_allocate_refresh_retransmissions_tick()</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">In the case STUN_USAGE_TIMER_RETURN_TIMEOUT:</span></p><p class="MsoNormal"><span lang="EN-US">refresh_cancel() is called invalidating the cand structure passed in.</span></p><p class="MsoNormal"><span lang="EN-US">At the end of the priv_turn_allocate_refresh_retransmissions_tick()</span></p><p class="MsoNormal"><span lang="EN-US">agent_unlock_and_emit( cand->agent ) is called with an invalid pointer to agent, which leads to the crash.</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">Modifiying the code:</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">case STUN_USAGE_TIMER_RETURN_TIMEOUT:</span></p><p class="MsoNormal"><span lang="EN-US">…</span></p><p class="MsoNormal"><span lang="EN-US">…</span></p><p class="MsoNormal"><span lang="EN-US">agent_unlock_and_emit( cand->agent );</span></p><p class="MsoNormal"><span lang="EN-US">refresh_cancel(cand ) ;</span></p><p class="MsoNormal"><span lang="EN-US">return FALSE ;</span></p><p class="MsoNormal"><span lang="EN-US">…</span></p><p class="MsoNormal"><span lang="EN-US">Seems to solve the issue</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">Rgds</span></p><p class="MsoNormal"><span lang="EN-US">Klaus</span></p><p class="MsoNormal"> </p></div></body></html>

<br>
.