[asterisk-bugs] [Asterisk 0012695]: Incorrect usage of errno can cause segfaults in ast_expr2.y

noreply at bugs.digium.com noreply at bugs.digium.com
Wed Jul 2 21:41:57 CDT 2008


The following issue has been RESOLVED. 
====================================================================== 
http://bugs.digium.com/view.php?id=12695 
====================================================================== 
Reported By:                ardjan
Assigned To:                file
====================================================================== 
Project:                    Asterisk
Issue ID:                   12695
Category:                   Core/Portability
Reproducibility:            sometimes
Severity:                   crash
Priority:                   normal
Status:                     resolved
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 117400 
Disclaimer on File?:        N/A 
Request Review:              
Resolution:                 suspended
Fixed in Version:           
====================================================================== 
Date Submitted:             05-21-2008 04:02 CDT
Last Modified:              07-02-2008 21:41 CDT
====================================================================== 
Summary:                    Incorrect usage of errno can cause segfaults in
ast_expr2.y
Description: 
Several of our live asterisk servers experienced crashes after printing the
following log line:

Conversion of 1 to number under/overflowed!

Further research led us to the file main/ast_expr2.y where this line is
printed on line 578 in the function "to_number". If this error is printed
this function frees vp->u.s and returns 0. This function is used quite
often without checking for errors, so subsequent usage of the passed struct
can (and does) cause segfaults.

Although each unchecked use of to_number could be called a bug this isn't
the real problem here (and in fact it is quite understandable). Looking
into the code of ast_expr2.y and considering the fact that the value 1
clearly doesn't cause an over- or underflow we came to the conclusion that
errno must have been changed by another thread, so in fact it is used in a
thread-unsafe manner.
 
During compilation of asterisk the compiler option -D_REENTRANT is passed,
but looking at errno.h we came to the conclusion that it is also necessary
to pass the compile option -D_LIBC_REENTRANT to make errno thread safe. 

We compiled asterisk with this option and have had no crashes for several
weeks, before this change we had a crash every couple of days.

Our live servers are currently running Asterisk 1.2.24 but I checked the
current asterisk SVN (revision 117400) trunk and the same problem is
possible here. I assume that this problem is present in all versions.

So assuming that this extra compile option indeed fixed this problem I
would advise to add -D_LIBC_REENTRANT on every place where -D_REENTRANT is
set.

Kind regards,
Ardjan Zwartjes.
====================================================================== 

---------------------------------------------------------------------- 
 file - 07-02-08 21:41  
---------------------------------------------------------------------- 
Suspended per Corydon's comment. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-02-08 21:41  file           Status                   feedback => resolved
07-02-08 21:41  file           Resolution               open => suspended   
07-02-08 21:41  file           Assigned To               => file            
07-02-08 21:41  file           Note Added: 0089647                          
======================================================================




More information about the asterisk-bugs mailing list