[asterisk-bugs] [Asterisk 0014060]: [patch] Astrerisk crashes using	the app_queue.c transfer datastores
    Asterisk Bug Tracker 
    noreply at bugs.digium.com
       
    Thu Dec 11 10:24:39 CST 2008
    
    
  
A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=14060 
====================================================================== 
Reported By:                nivek
Assigned To:                putnopvut
====================================================================== 
Project:                    Asterisk
Issue ID:                   14060
Category:                   Applications/app_queue
Reproducibility:            random
Severity:                   crash
Priority:                   normal
Status:                     assigned
Asterisk Version:           1.4.22 
SVN Branch (only for SVN checkouts, not tarball releases):  1.4  
SVN Revision (number only!): 162994 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-12-11 07:33 CST
Last Modified:              2008-12-11 10:24 CST
====================================================================== 
Summary:                    [patch] Astrerisk crashes using the app_queue.c
transfer datastores
Description: 
When Asterisk crashes and we analyze the dump, Asterisk always crashes in
main/channel.c at line 3562 of 1.4 SVN which states in the dump trace:
    if (ds->info->chan_fixup)
After a lot of debugging statements, we have found that right after the
return from queue_transfer_fixup() it crashes on the above statement.
Variable ds seems to have a value but ds->info and ds->info->chan_fixup
comeback as undefined.
Looking at the code, we believe (Marquis and I are colleagues) the
ast_channel_datastore_free in the queue_transfer_fixup is causing the
grief.
If I understand the code flow correctly, the ast_channel_datastore_remove
unlinks the datastore from the linked list but the datastore still retains
its values to point to the next data structure in the linked list.  The
ast_channel_datastore_free, of course, adds the datastore allocated memory
back into the heap for it to be allocated again.  We believe that the
memory added back to the heap gets reallocated to another process and
causes the crash.
This crash is very random.  I has happened once a day for three days then
not again for a week.  If happened within 15 minutes of each other on one
day.  Sometimes it took a week or so to happen.
I have included a patch to 1.4-SVN that we have used for a little over a
month now without a crash (knock on wood).  The patch also includes a
change to the time parameter passing and calculations that were using 'int'
instead of 'long'.  We elected to use 'time_t' in case 'time_t' ever
changed it could be more portable.  This is your call on that.
====================================================================== 
---------------------------------------------------------------------- 
 (0096206) svnbot (reporter) - 2008-12-11 10:24
 http://bugs.digium.com/view.php?id=14060#c96206 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 163080
U   branches/1.4/apps/app_queue.c
------------------------------------------------------------------------
r163080 | mmichelson | 2008-12-11 10:24:38 -0600 (Thu, 11 Dec 2008) | 14
lines
Fix a potential crash due to unsafe datastore handling.
This patch also contains a conversion from using long to time_t
for representing times for a queue, as well as some whitespace
fixes.
(closes issue http://bugs.digium.com/view.php?id=14060)
Reported by: nivek
Patches:
      datastore_fixup.patch.corrected uploaded by nivek (license 636)
	  with slight modification from me
Tested by: nivek
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=163080 
Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-12-11 10:24 svnbot         Note Added: 0096206                          
======================================================================
    
    
More information about the asterisk-bugs
mailing list