[asterisk-bugs] [Asterisk 0010348]: Certain realtime IAX calls are causing an malloc error and crash

noreply at bugs.digium.com noreply at bugs.digium.com
Tue Aug 21 20:28:15 CDT 2007 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=10348 
====================================================================== 
Reported By:                link55
Assigned To:                russell
====================================================================== 
Project:                    Asterisk
Issue ID:                   10348
Category:                   Addons/res_config_mysql
Reproducibility:            random
Severity:                   crash
Priority:                   normal
Status:                     assigned
Asterisk Version:            SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 77800 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             07-31-2007 17:31 CDT
Last Modified:              08-21-2007 20:28 CDT
====================================================================== 
Summary:                    Certain realtime IAX calls are causing an malloc
error and crash
Description: 
When using IAX realtime with res_config_mysql, after 1-2 minutes there is a
hard crash and core dump.  This has been reproduced in 1.4.9 and
SVN-trunk-r77800 with the latest asterisk-addons.  Attached are two GDB
traces showing the back trace and what I think might be causing the error -
a malformed SQL query.  I Xed out the IPs and usernames.
====================================================================== 

---------------------------------------------------------------------- 
 johann8384 - 08-21-07 20:28  
---------------------------------------------------------------------- 
I know it will be obvious to you when you look at this but I'm trying to
learn a little bit as I go along so hopefully I'll be fixing stuff myself
before long. 

To me the problem looks like it's crashing trying to print to the return
value of a vsnprintf to an int res in ast_dynamic_str_thread_build_va. 

The message is "Variable 'res' is not available". My C is weak, that is
line 1200, line 1194 is "int res;". 

http://bugs.digium.com/view.php?id=3  0x080fbf87 in
ast_dynamic_str_thread_build_va (buf=0xb7e7233c,
max_len=8192, ts=0x825cd60, append=0,
    fmt=0x281380 "MySQL RealTime: Database Select Failed (%d): %s\n",
ap=0xb7e74664 "S%(") at utils.c:1200
        res = Variable "res" is not available.

/*!
 * core handler for dynamic strings.
 * This is not meant to be called directly, but rather through the
 * various wrapper macros
 *	ast_str_set(...)
 *	ast_str_append(...)
 *	ast_str_set_va(...)
 *	ast_str_append_va(...)
 */
int __ast_str_helper(struct ast_str **buf, size_t max_len,
	int append, const char *fmt, va_list ap)
{
	int res, need;
	int offset = (append && (*buf)->len) ? (*buf)->used : 0;

	if (max_len < 0)
		max_len = (*buf)->len;	/* don't exceed the allocated space */
	/*
	 * Ask vsnprintf how much space we need. Remember that vsnprintf
	 * does not count the final '\0' so we must add 1.
	 */
	res = vsnprintf((*buf)->str + offset, (*buf)->len - offset, fmt, ap);

	need = res + offset + 1;
	/*
	 * If there is not enough space and we are below the max length,
	 * reallocate the buffer and return a message telling to retry.
	 */
	if (need > (*buf)->len && (max_len == 0 || (*buf)->len < max_len) ) {
		if (max_len && max_len < need)	/* truncate as needed */
			need = max_len;
		else if (max_len == 0)	/* if unbounded, give more room for next time */
			need += 16 + need/4;
		if (0)	/* debugging */
			ast_verbose("extend from %d to %d\n", (int)(*buf)->len, need);
		if (ast_str_make_space(buf, need)) {
			ast_verbose("failed to extend from %d to %d\n", (int)(*buf)->len,
need);
			return AST_DYNSTR_BUILD_FAILED;
		}
		(*buf)->str[offset] = '\0';	/* Truncate the partial write. */

		/* va_end() and va_start() must be done before calling
		 * vsnprintf() again. */
		return AST_DYNSTR_BUILD_RETRY;
	}
	/* update space used, keep in mind the truncation */
	(*buf)->used = (res + offset > (*buf)->len) ? (*buf)->len : res +
offset;

	return res;
} 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
08-21-07 20:28  johann8384     Note Added: 0069217                          
======================================================================

More information about the asterisk-bugs mailing list