[asterisk-bugs] [Asterisk 0011878]: segfault, ast_slinfactory_read(), connected with DTMF sending?

noreply at bugs.digium.com noreply at bugs.digium.com
Wed Jan 30 06:49:24 CST 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=11878 
====================================================================== 
Reported By:                stuarth
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   11878
Category:                   Core-General
Reproducibility:            random
Severity:                   crash
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  1.4  
SVN Revision (number only!): 100973 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             01-30-2008 05:17 CST
Last Modified:              01-30-2008 06:49 CST
====================================================================== 
Summary:                    segfault, ast_slinfactory_read(), connected with
DTMF sending?
Description: 
segfault with the included debug log, apparently connected with DTMF
sending.  looks like it's trying to memcpy out of bounds.

140         frame_data, remain * sizeof(*offset));
(gdb) print remain
$2 = 4294967256

I'll attach a thread apply all bt full.
======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
has duplicate       0011876 Crash. Can't get more info
====================================================================== 

---------------------------------------------------------------------- 
 stuarth - 01-30-08 06:49  
---------------------------------------------------------------------- 
here are the contents of a couple more vars. frame_ptr->samples - ineed ==
-40 which underflows the uint holding remain.

(gdb) frame 1
http://bugs.digium.com/view.php?id=1  0x080f02db in ast_slinfactory_read
(sf=0x9fe4b08, buf=0x12460a0,
samples=160)
    at slinfactory.c:140
140                                     memcpy(sf->hold, frame_data,
remain * sizeof(*offset));
(gdb) print ineed
$1 = 80
(gdb) print samples
$2 = 160
(gdb) print sofar
$3 = 160
(gdb) print frame_data
$4 = (short int *) 0x9827698
(gdb) print frame_ptr
$5 = (struct ast_frame *) 0x9827578
(gdb) print *frame_ptr
$6 = {frametype = AST_FRAME_VOICE, subclass = 64, datalen = 80, samples =
40,
  mallocd = 1, mallocd_hdr_len = 218, offset = 64, src = 0x9827648
"alawtolin",
  data = 0x98275f8, delivery = {tv_sec = 1201690963, tv_usec = 513600},
frame_list = {
    next = 0x0}, flags = 1, ts = 692921, len = 5, seqno = 39963} 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-30-08 06:49  stuarth        Note Added: 0081401                          
======================================================================

More information about the asterisk-bugs mailing list