[asterisk-bugs] [Asterisk 0016058]: [patch] Crash in local_ast_moh_start / ast_indicate_data due to AST_CONTROL_HOLD with bad pointer

Asterisk Bug Tracker noreply at bugs.digium.com
Tue Dec 1 16:05:17 CST 2009 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=16058 
====================================================================== 
Reported By:                atis
Assigned To:                jpeeler
====================================================================== 
Project:                    Asterisk
Issue ID:                   16058
Category:                   Channels/General
Reproducibility:            have not tried
Severity:                   crash
Priority:                   normal
Status:                     closed
Target Version:             1.6.0.20
Asterisk Version:           SVN 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             2009-10-12 08:24 CDT
Last Modified:              2009-12-01 16:05 CST
====================================================================== 
Summary:                    [patch] Crash in local_ast_moh_start /
ast_indicate_data due to AST_CONTROL_HOLD with bad pointer
Description: 
I got the following backtrace:

Program terminated with signal 11, Segmentation fault.
# 0  0x00002aaab13265d0 in local_ast_moh_start (chan=0x2aaac82fad98,
mclass=0xc8196c58 <Address 0xc8196c58 out of bounds>, interpclass=0xc4c1db
"default") at
/export/storage0/dist/1.6.1_p1/asterisk-svn-1.6.1.6-iqlabs/include/asterisk/strings.h:50
50              return (!s || (*s == '\0'));

# 0  0x00002aaab13265d0 in local_ast_moh_start (chan=0x2aaac82fad98,
mclass=0xc8196c58 <Address 0xc8196c58 out of bounds>, interpclass=0xc4c1db
"default") at
/export/storage0/dist/1.6.1_p1/asterisk-svn-1.6.1.6-iqlabs/include/asterisk/strings.h:50
# 1  0x000000000046b106 in ast_moh_start (chan=0x2aaac82fad98,
mclass=0xc8196c58 <Address 0xc8196c58 out of bounds>, interpclass=0xc4c1db
"default") at channel.c:5625
# 2  0x00002aaab8e1ad84 in sip_indicate (ast=0x2aaac82fad98, condition=16,
data=0xc8196c58, datalen=0) at chan_sip.c:5794
# 3  0x000000000045f40c in ast_indicate_data (chan=0x2aaac82fad98,
_condition=16, data=0xc8196c58, datalen=0) at channel.c:3113
# 4  0x0000000000467171 in ast_generic_bridge (c0=0xaa7638,
c1=0x2aaac82fad98, config=0x40c90c00, fo=0x40c8fd28, rc=0x40c8fd20,
bridge_end={tv_sec = 1255274833, tv_usec = 81777}) at channel.c:4902

After investigating closer in frame 4 i found that:

f->datalen = 0
f->data.ptr = (void *) 0xc8196c58 (which is out of bounds in
ast_strlen_zero)
f->frametype = AST_FRAME_CONTROL
f->subclass = 16 (AST_CONTROL_HOLD)

So, apparently something generates wrong HOLD frame with datalength 0 but
invalid pointer.

Full backtrace attached
====================================================================== 

---------------------------------------------------------------------- 
 (0114484) svnbot (reporter) - 2009-12-01 16:05
 https://issues.asterisk.org/view.php?id=16058#c114484 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 231928

_U  branches/1.6.0/
U   branches/1.6.0/main/channel.c

------------------------------------------------------------------------
r231928 | jpeeler | 2009-12-01 16:05:16 -0600 (Tue, 01 Dec 2009) | 26
lines

Merged revisions 231927 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/trunk

................
  r231927 | jpeeler | 2009-12-01 15:54:21 -0600 (Tue, 01 Dec 2009) | 19
lines
  
  Merged revisions 231911 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.4
  
  ........
    r231911 | jpeeler | 2009-12-01 15:29:31 -0600 (Tue, 01 Dec 2009) | 12
lines
    
    Fix crash with invalid frame data
    
    The crash was happening as a result of a frame containing an invalid
data
    pointer, but was set with data length of zero. The few times the issue
was
    reproduced it _seemed_ that the frame was queued properly, that is the
data
    pointer was set to NULL. I never could reproduce the crash so as a
last resort
    the crash has been fixed, but a check in __ast_read has been added to
give as
    much information about the source of problematic frames in the future.
    
    (closes issue https://issues.asterisk.org/view.php?id=16058)
    Reported by: atis
  ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=231928 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-12-01 16:05 svnbot         Checkin                                      
2009-12-01 16:05 svnbot         Note Added: 0114484                          
======================================================================

More information about the asterisk-bugs mailing list