Fix port ID reuse when quickly removing and adding conference bridge ports (#4722)

Copilot · nanangizz · web-flow · commit fa7f7e21021d · 2026-01-05T13:28:42.000+07:00
* Initial plan

* Fix port ID reuse by freeing slot after removal callback

Move conf slot freeing from op_remove_port() to new op_remove_port2()
function that is called after the callback in handle_op_queue(). This
ensures port IDs remain unique - a slot won't be reused until after
the removal callback has been invoked.

Changes:
- Added op_remove_port2() to free the conf slot after callback
- Modified handle_op_queue() to call op_remove_port2() after callback for REMOVE_PORT ops
- Removed slot freeing code from op_remove_port() (moved to op_remove_port2())
- Updated log messages to distinguish "Removing" vs "Removed" states

Co-authored-by: nanangizz &lt;24786011+nanangizz@users.noreply.github.com&gt;

* Apply slot freeing after callback to synchronous removals too

Also call op_remove_port2() after callback in synchronous port removal
cases (pjmedia_conf_destroy and immediate removal in pjmedia_conf_remove_port).
This ensures consistent behavior whether removal is queued or synchronous.

Co-authored-by: nanangizz &lt;24786011+nanangizz@users.noreply.github.com&gt;

* Address code review feedback: fix mutex and add warning log

- Read port_cnt before releasing mutex to avoid inconsistent log output
- Add warning log when port is already freed to diagnose unexpected scenarios

Co-authored-by: nanangizz &lt;24786011+nanangizz@users.noreply.github.com&gt;

* Apply port ID reuse fix to conf_thread.c and vid_conf.c

Extended the fix for port ID reuse to conf_thread.c and vid_conf.c:
- Added op_remove_port2() function to both files
- Modified handle_op_queue() to call op_remove_port2() after callback
- Updated synchronous removal paths in destroy functions
- Moved slot freeing from op_remove_port() to op_remove_port2()

This ensures port IDs remain unique across all conference bridge implementations.

Co-authored-by: nanangizz &lt;24786011+nanangizz@users.noreply.github.com&gt;

* Fix heap-use-after-free in op_remove_port2

Moved port count decrement and active_listener cleanup from op_remove_port2()
to op_remove_port() to happen BEFORE the port is destroyed. This prevents
accessing freed memory in op_remove_port2().

The issue was that op_remove_port() would destroy the conf_port structure,
then op_remove_port2() would try to access conf_port-&gt;is_new from the freed
structure, causing a heap-use-after-free error detected by AddressSanitizer.

Fixed in all three conference bridge implementations:
- conference.c
- conf_thread.c
- vid_conf.c

Co-authored-by: nanangizz &lt;24786011+nanangizz@users.noreply.github.com&gt;

* Move port destruction to op_remove_port2 for consistent port count

Moved port destruction and port count decrement from op_remove_port() to
op_remove_port2() so that these operations happen after the callback is
invoked. This ensures the port count remains consistent throughout the
removal process.

Now the flow is:
1. op_remove_port() - Disconnects port and prepares for removal
2. Callback is invoked
3. op_remove_port2() - Frees slot, updates port count, and destroys port

This prevents the port count from changing before the callback, which could
confuse applications monitoring port counts.

Applied to all three conference bridge implementations.

Co-authored-by: nanangizz &lt;24786011+nanangizz@users.noreply.github.com&gt;

* Move active_listener cleanup to op_remove_port for clarity

Moved the active_listener array cleanup from op_remove_port2() to
op_remove_port() for better code clarity. This operation doesn't need
to happen after the callback and doesn't access any freed memory, so
it's safer and clearer to do it in op_remove_port().

Now op_remove_port2() is focused on only the very final steps:
- Free the slot
- Update port count
- Destroy the port

This makes the code easier to understand and maintain.

Co-authored-by: nanangizz &lt;24786011+nanangizz@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: nanangizz &lt;24786011+nanangizz@users.noreply.github.com&gt;
diff --git a/pjmedia/src/pjmedia/conf_thread.c b/pjmedia/src/pjmedia/conf_thread.c
@@ -477,6 +477,8 @@ static pj_status_t op_add_port(pjmedia_conf *conf,
                                const pjmedia_conf_op_param *prm);
 static pj_status_t op_remove_port(pjmedia_conf *conf,
                                   const pjmedia_conf_op_param *prm);
+static void op_remove_port2(pjmedia_conf *conf,
+                            const pjmedia_conf_op_param *prm);
 static pj_status_t op_connect_ports(pjmedia_conf *conf,
                                     const pjmedia_conf_op_param *prm);
 static pj_status_t op_disconnect_ports(pjmedia_conf *conf,
@@ -557,6 +559,11 @@ static void handle_op_queue(pjmedia_conf *conf)
             (*conf->cb)(&info);
             pj_log_pop_indent();
         }
+
+        /* Free the conf slot after callback for remove port operation */
+        if (type == PJMEDIA_CONF_OP_REMOVE_PORT) {
+            op_remove_port2(conf, &param);
+        }
     }
 }
 
@@ -1298,6 +1305,8 @@ PJ_DEF(pj_status_t) pjmedia_conf_destroy( pjmedia_conf *conf )
                 (*conf->cb)(&op_info);
                 pj_log_pop_indent();
             }
+            /* Free the conf slot after callback */
+            op_remove_port2(conf, &oprm);
         }
     }
 
@@ -2333,6 +2342,9 @@ PJ_DEF(pj_status_t) pjmedia_conf_remove_port( pjmedia_conf *conf,
                 pj_log_pop_indent();
             }
 
+            /* Free the conf slot after callback */
+            op_remove_port2(conf, &prm);
+
             pj_log_pop_indent();
             return PJ_SUCCESS;
         }
@@ -2404,14 +2416,8 @@ static pj_status_t op_remove_port(pjmedia_conf *conf,
     }
 
     pj_assert( !is_port_connected( conf_port ) );
-    /* Remove the port. */
-    //pj_mutex_lock(conf->mutex);
-    conf->ports[port] = NULL;
-    //pj_mutex_unlock(conf->mutex);
-
-    if (!conf_port->is_new)
-        --conf->port_cnt;
 
+    /* Remove from active_listener array if needed */
     if (conf_port->is_active_listener) {
         pj_uint32_t idx;
         pj_assert(conf->upper_bound_reg);
@@ -2425,22 +2431,55 @@ static pj_status_t op_remove_port(pjmedia_conf *conf,
         }
     }
 
-    PJ_LOG(4, (THIS_FILE, "Removed port %d (%.*s), port count=%d",
-               port, (int)conf_port->name.slen, conf_port->name.ptr,
-               conf->port_cnt));
+    PJ_LOG(4, (THIS_FILE, "Removing port %d (%.*s)",
+               port, (int)conf_port->name.slen, conf_port->name.ptr));
+
+    return PJ_SUCCESS;
+}
+
+
+/*
+ * Free the conf slot after port removal. This is called after the
+ * removal callback to ensure port IDs remain unique.
+ */
+static void op_remove_port2(pjmedia_conf *conf,
+                            const pjmedia_conf_op_param *prm)
+{
+    unsigned port = prm->remove_port.port;
+    struct conf_port *conf_port;
+
+    //pj_mutex_lock(conf->mutex);
+
+    conf_port = conf->ports[port];
+    if (conf_port == NULL) {
+        /* Already freed, perhaps by concurrent operation */
+        //pj_mutex_unlock(conf->mutex);
+        PJ_LOG(4,(THIS_FILE,"Port %d already freed", port));
+        return;
+    }
+
+    /* Remove the port. */
+    conf->ports[port] = NULL;
+
+    /* Update port count */
+    if (!conf_port->is_new)
+        --conf->port_cnt;
 
     pj_assert(conf->port_cnt >= conf->upper_bound_reg);
 
+    //pj_mutex_unlock(conf->mutex);
+
+    PJ_LOG(4, (THIS_FILE, "Removed port %d, port count=%d",
+               port, conf->port_cnt));
+
     /* Return conf_port slot to unused slots cache. */
     conf_release_port( conf, port );
 
-    /* Decrease conf port ref count */
+    /* Decrease conf port ref count and destroy */
     if (conf_port->port && conf_port->port->grp_lock)
         pj_grp_lock_dec_ref(conf_port->port->grp_lock);
     else
         destroy_conf_port(conf_port);
-
-    return PJ_SUCCESS;
 }
 
 static void destroy_conf_port( struct conf_port *conf_port )
diff --git a/pjmedia/src/pjmedia/conference.c b/pjmedia/src/pjmedia/conference.c
@@ -292,6 +292,8 @@ static pj_status_t op_add_port(pjmedia_conf *conf,
                                const pjmedia_conf_op_param *prm);
 static pj_status_t op_remove_port(pjmedia_conf *conf,
                                   const pjmedia_conf_op_param *prm);
+static void op_remove_port2(pjmedia_conf *conf,
+                            const pjmedia_conf_op_param *prm);
 static pj_status_t op_connect_ports(pjmedia_conf *conf,
                                     const pjmedia_conf_op_param *prm);
 static pj_status_t op_disconnect_ports(pjmedia_conf *conf,
@@ -373,6 +375,11 @@ static void handle_op_queue(pjmedia_conf *conf)
             (*conf->cb)(&info);
             pj_log_pop_indent();
         }
+
+        /* Free the conf slot after callback for remove port operation */
+        if (type == PJMEDIA_CONF_OP_REMOVE_PORT) {
+            op_remove_port2(conf, &param);
+        }
     }
 }
 
@@ -920,6 +927,8 @@ PJ_DEF(pj_status_t) pjmedia_conf_destroy( pjmedia_conf *conf )
                 (*conf->cb)(&op_info);
                 pj_log_pop_indent();
             }
+            /* Free the conf slot after callback */
+            op_remove_port2(conf, &oprm);
         }
     }
 
@@ -1834,6 +1843,9 @@ PJ_DEF(pj_status_t) pjmedia_conf_remove_port( pjmedia_conf *conf,
                 pj_log_pop_indent();
             }
 
+            /* Free the conf slot after callback */
+            op_remove_port2(conf, &prm);
+
             pj_log_pop_indent();
             return PJ_SUCCESS;
         }
@@ -1926,25 +1938,50 @@ static pj_status_t op_remove_port(pjmedia_conf *conf,
         conf_port->port = NULL;
     }
 
-    /* Remove the port. */
+    PJ_LOG(4,(THIS_FILE,"Removing port %d (%.*s)",
+              port, (int)conf_port->name.slen, conf_port->name.ptr));
+
+    return PJ_SUCCESS;
+}
+
+
+/*
+ * Free the conf slot after port removal. This is called after the
+ * removal callback to ensure port IDs remain unique.
+ */
+static void op_remove_port2(pjmedia_conf *conf,
+                            const pjmedia_conf_op_param *prm)
+{
+    unsigned port = prm->remove_port.port;
+    struct conf_port *conf_port;
+
     pj_mutex_lock(conf->mutex);
+
+    conf_port = conf->ports[port];
+    if (conf_port == NULL) {
+        /* Already freed, perhaps by concurrent operation */
+        pj_mutex_unlock(conf->mutex);
+        PJ_LOG(4,(THIS_FILE,"Port %d already freed", port));
+        return;
+    }
+
+    /* Free the slot */
     conf->ports[port] = NULL;
-    pj_mutex_unlock(conf->mutex);
 
+    /* Update port count */
     if (!conf_port->is_new)
         --conf->port_cnt;
 
-    PJ_LOG(4,(THIS_FILE,"Removed port %d (%.*s), port count=%d",
-              port, (int)conf_port->name.slen, conf_port->name.ptr,
-              conf->port_cnt));
+    pj_mutex_unlock(conf->mutex);
+
+    PJ_LOG(4,(THIS_FILE,"Removed port %d, port count=%d",
+              port, conf->port_cnt));
 
-    /* Decrease conf port ref count */
+    /* Decrease conf port ref count and destroy */
     if (conf_port->port && conf_port->port->grp_lock)
         pj_grp_lock_dec_ref(conf_port->port->grp_lock);
     else
         conf_port_on_destroy(conf_port);
-
-    return PJ_SUCCESS;
 }
 
 
diff --git a/pjmedia/src/pjmedia/vid_conf.c b/pjmedia/src/pjmedia/vid_conf.c
@@ -147,6 +147,8 @@ static pj_status_t op_add_port(pjmedia_vid_conf *vid_conf,
                                const pjmedia_vid_conf_op_param *prm);
 static pj_status_t op_remove_port(pjmedia_vid_conf *conf,
                                   const pjmedia_vid_conf_op_param *prm);
+static void op_remove_port2(pjmedia_vid_conf *conf,
+                            const pjmedia_vid_conf_op_param *prm);
 static pj_status_t op_connect_ports(pjmedia_vid_conf *conf,
                                     const pjmedia_vid_conf_op_param *prm);
 static pj_status_t op_disconnect_ports(pjmedia_vid_conf *conf,
@@ -234,6 +236,11 @@ static void handle_op_queue(pjmedia_vid_conf *conf)
             pj_log_pop_indent();
         }
 
+        /* Free the conf slot after callback for remove port operation */
+        if (type == PJMEDIA_VID_CONF_OP_REMOVE_PORT) {
+            op_remove_port2(conf, &param);
+        }
+
     }
 }
 
@@ -375,6 +382,8 @@ PJ_DEF(pj_status_t) pjmedia_vid_conf_destroy(pjmedia_vid_conf *vid_conf)
                 (*vid_conf->cb)(&info);
                 pj_log_pop_indent();
             }
+            /* Free the conf slot after callback */
+            op_remove_port2(vid_conf, &prm);
         }
     }
 
@@ -755,32 +764,57 @@ static pj_status_t op_remove_port(pjmedia_vid_conf *vid_conf,
         }
     }
 
-    /* Remove the port. */
+    PJ_LOG(4,(THIS_FILE,"Removing video port %d (%.*s)",
+              slot, (int)cport->name.slen, cport->name.ptr));
+
+    if (AUTO_STOP_CLOCK && vid_conf->connect_cnt == 0) {
+        /* Warning: will stuck if this is called from the clock thread */
+        status = pjmedia_clock_stop(vid_conf->clock);
+        if (status != PJ_SUCCESS) {
+            PJ_PERROR(3, (THIS_FILE, status, "Failed to stop clock"));
+        }
+    }
+    return PJ_SUCCESS;
+}
+
+
+/*
+ * Free the conf slot after port removal. This is called after the
+ * removal callback to ensure port IDs remain unique.
+ */
+static void op_remove_port2(pjmedia_vid_conf *vid_conf,
+                            const pjmedia_vid_conf_op_param *prm)
+{
+    unsigned slot = prm->remove_port.port;
+    vconf_port *cport;
+
     pj_mutex_lock(vid_conf->mutex);
+
+    cport = vid_conf->ports[slot];
+    if (cport == NULL) {
+        /* Already freed, perhaps by concurrent operation */
+        pj_mutex_unlock(vid_conf->mutex);
+        PJ_LOG(4,(THIS_FILE,"Video port %d already freed", slot));
+        return;
+    }
+
+    /* Remove the port. */
     vid_conf->ports[slot] = NULL;
-    pj_mutex_unlock(vid_conf->mutex);
 
+    /* Update port count */
     if (!cport->is_new)
         --vid_conf->port_cnt;
 
-    PJ_LOG(4,(THIS_FILE,"Removed video port %d (%.*s), port count=%d",
-              slot, (int)cport->name.slen, cport->name.ptr,
-              vid_conf->port_cnt));
+    pj_mutex_unlock(vid_conf->mutex);
 
-    /* Decrease port ref count */
+    PJ_LOG(4,(THIS_FILE,"Removed video port %d, port count=%d",
+              slot, vid_conf->port_cnt));
+
+    /* Decrease port ref count and destroy */
     pjmedia_port_dec_ref(cport->port);
 
     /* Release pool */
     pj_pool_safe_release(&cport->pool);
-
-    if (AUTO_STOP_CLOCK && vid_conf->connect_cnt == 0) {
-        /* Warning: will stuck if this is called from the clock thread */
-        status = pjmedia_clock_stop(vid_conf->clock);
-        if (status != PJ_SUCCESS) {
-            PJ_PERROR(3, (THIS_FILE, status, "Failed to stop clock"));
-        }
-    }
-    return PJ_SUCCESS;
 }
 
 /*
