[Asterisk-bugs] [Asterisk 0010141]: crash when decoding callerid
noreply at bugs.digium.com
noreply at bugs.digium.com
Thu Jul 12 09:39:18 CDT 2007
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=10141
======================================================================
Reported By: paradise
Assigned To: murf
======================================================================
Project: Asterisk
Issue ID: 10141
Category: Core-General
Reproducibility: random
Severity: crash
Priority: normal
Status: assigned
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): 1.2
SVN Revision (number only!): 70551
Disclaimer on File?: Yes
Request Review:
======================================================================
Date Submitted: 07-06-2007 16:23 CDT
Last Modified: 07-12-2007 09:39 CDT
======================================================================
Summary: crash when decoding callerid
Description:
this crash happens rarely 1-2 times a week.
======================================================================
----------------------------------------------------------------------
murf - 07-12-07 09:39
----------------------------------------------------------------------
OK, after reviewing, then reviewing again, I think I have it. The samples
var in the serie routine seems to say that it covered 66,413 items in that
first loop, which is inconsistent with the number of samples in a group,
which is usually like 160 or so, from the numbers in your stack trace.
IF this routine gets called with a 0 len, it will fetch a sample anyway,
and that should put len to -1. the test in the loop is for 0 only, so, it
would merrily churn thru unallocated memory. Apparently, it churned thru
over 66K iterations before it stepped outside a memory page and
segfaulted.
Hmmm. I didn't try to study why it would get called with 0 elements in
buffer, and I could be totally wrong. I attached a patch that changed the
tests to look for less-than-or-equal-to 0 instead of just equal-to 0, and
we will soon see if this makes any difference.
Please apply 10141.patch to your source, and run again. If all goes well,
it won't crash at all. If it still crashes, the bt full trace should tell
me what the len was when the call was made.
Remind me that the patch I made is not optimal, if it works! instead of
testing for 0 or less than 0 in the loop, really, the code shouldn't even
get a sample if there are none there. I'll commit a better fix if this
patch works.
Issue History
Date Modified Username Field Change
======================================================================
07-12-07 09:39 murf Note Added: 0067302
======================================================================
More information about the asterisk-bugs
mailing list