[asterisk-bugs] [Asterisk 0011034]: Segfault in app_voicemail, inside c-client

noreply at bugs.digium.com noreply at bugs.digium.com
Tue Jan 8 14:36:41 CST 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=11034 
====================================================================== 
Reported By:                dwhite
Assigned To:                putnopvut
====================================================================== 
Project:                    Asterisk
Issue ID:                   11034
Category:                   Applications/app_voicemail
Reproducibility:            sometimes
Severity:                   crash
Priority:                   normal
Status:                     assigned
Asterisk Version:            1.4.13  
SVN Branch (only for SVN checkouts, not tarball releases): N/A  
SVN Revision (number only!):  
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             10-18-2007 22:25 CDT
Last Modified:              01-08-2008 14:36 CST
====================================================================== 
Summary:                    Segfault in app_voicemail, inside c-client
Description: 
I'm encountering some segfaults while running Asterisk, about 2 times a day
on a fairly low use server. It has been statically compiled with c-client.

I'm using the following versions:

Asterisk 1.4.11 (which IMAP_STORE enabled for app_voicemail)
c-client from version imap-2006k.DEV.SNAP-0709111641
I'm connecting to cyrus-imap version 2.3.8 on the same server

I should note that I've modified the app_voicemail.c file slightly, which
was necessary for use with cyrus.

After each crash, Asterisk restarts automatically (using asterisk_safe),
so the problem doesn't hold over through the restart.

I submitted this report on the imap-uw list, which contained the following
discussion, which includes output from a core dump:

http://mailman1.u.washington.edu/pipermail/imap-uw/2007-October/001705.html

I believe there's a missing initialization of vms.mailstream

A small patch is attached.
====================================================================== 

---------------------------------------------------------------------- 
 putnopvut - 01-08-08 14:36  
---------------------------------------------------------------------- 
I took a few hours to analyze the code and find any potential problem areas
that could result in the mailstream parameter of a vm_state to be invalid.
I came up with a list of possible factors:

1. Some other thread is deleting the vm_state while we are still using it.
I went through the code and made sure that if we are going to access the
mailstream component of the vm_state, we make sure to retrieve the
persistent (meaning it will not be deleted) vm_state structure instead of a
temporary "interactive" one.

2. There was some race condition being experienced during the retrieval of
a vm_state from the list of vm_states. This was very possible since, though
a lock for the list is defined and used in the insertion and removal of a
vm_state from the list, the lock is not used when retrieving a vm_state. I
have added locking to this code to be sure that the list is not compromised
while we traverse it.

3. The vm_state's mailstream parameter was not properly initialized to
zero. While I considered this to be a potential issue, in all cases where a
vm_state was declared its memory was either calloc'd or was memset'd to 0.

4. Something in the IMAP c-client is causing the mailstream to be
compromised. I can't confirm that this is happening, and even if it is, I
can't do anything about it except file a bug report with the c-client
developers.

While inspecting the code, I also found that the init_mailstream function
returned an incorrect value in one instance, and though I have fixed this,
I doubt that it caused the crash you were experiencing.

I am going to commit my changes and close this issue as resolved. If the
problem recurs, then please feel free to reopen. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-08-08 14:36  putnopvut      Note Added: 0076512                          
======================================================================

More information about the asterisk-bugs mailing list