[asterisk-bugs] [Asterisk 0013050]: Memory segmentation fault on T.38 pass through

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Feb 11 11:51:31 CST 2009 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=13050 
====================================================================== 
Reported By:                schern
Assigned To:                Corydon76
====================================================================== 
Project:                    Asterisk
Issue ID:                   13050
Category:                   Channels/chan_sip/T.38
Reproducibility:            always
Severity:                   block
Priority:                   normal
Status:                     feedback
Target Version:             1.4.24
Asterisk Version:           1.4.21 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2008-07-10 08:17 CDT
Last Modified:              2009-02-11 11:51 CST
====================================================================== 
Summary:                    Memory segmentation fault on T.38 pass through
Description: 
I tried to use the chan_sip with T.38 pass through. An Fax is coming via
T.38 from
the Carrier an should go to a Linksys SPA2102 (T.38 enabled).
Short after starting UDPL traffic I got a segmentation fault.
The crash is 100% reproducible.
Outbound T.38 is no problem at all.
====================================================================== 

---------------------------------------------------------------------- 
 (0099909) schern (reporter) - 2009-02-11 11:51
 http://bugs.digium.com/view.php?id=13050#c99909 
---------------------------------------------------------------------- 
After applying the patch 20090211__bug13050.diff.txt from Corydon76
Asterisk is also not crashing anymore but inbound fax calls are still
incomplete:

--- snip ---
UDPTL Debugging Enabled
*CLI> [New Thread 1075951968 (LWP 25777)]
[...]
    -- Called 00043551198
    -- SIP/00043551198-0076dc60 is ringing
    -- SIP/00043551198-0076dc60 answered SIP/in-px1-00758270
Got UDPTL packet from 212.87.38.44:63874 (type 0, seq 0, len 8)
Sent UDPTL packet to 62.180.55.10:21258 (type 0, seq 1, len 8)
[...]
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 6)
Sent UDPTL packet to 212.87.38.44:63874 (type 0, seq 34, len 16)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 6)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 251)
Sent UDPTL packet to 212.87.38.44:63874 (type 0, seq 35, len 259)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 251)
Sent UDPTL packet to 212.87.38.44:63874 (type 0, seq 36, len 502)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 251)
Sent UDPTL packet to 212.87.38.44:63874 (type 0, seq 37, len 747)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 251)
[Feb 11 18:44:07] ERROR[25777]: udptl.c:257 encode_open_type: Buffer
overflow detected (245 + 747 > 800)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 251)
[Feb 11 18:44:07] ERROR[25777]: udptl.c:257 encode_open_type: Buffer
overflow detected (245 + 747 > 800)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 251)
[Feb 11 18:44:07] ERROR[25777]: udptl.c:257 encode_open_type: Buffer
overflow detected (245 + 747 > 800)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 251)
[Feb 11 18:44:08] ERROR[25777]: udptl.c:257 encode_open_type: Buffer
overflow detected (245 + 747 > 800)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 153)
[Feb 11 18:44:08] ERROR[25777]: udptl.c:257 encode_open_type: Buffer
overflow detected (245 + 649 > 800)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 6)
Sent UDPTL packet to 212.87.38.44:63874 (type 0, seq 38, len 747)
[...]
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 191)
Sent UDPTL packet to 212.87.38.44:63874 (type 0, seq 129, len 752)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 191)
Sent UDPTL packet to 212.87.38.44:63874 (type 0, seq 130, len 752)
Got UDPTL packet from 62.180.55.10:21258 (type 0, seq 0, len 191)
Sent UDPTL packet to 212.87.38.44:63874 (type 0, seq 131, len 752)
  == Spawn extension (incoming, 030346499198, 3) exited non-zero on
'SIP/in-px1-00758270'
[Thread 1075951968 (zombie) exited]
--- snap ---

I don't understand why there are buffer overflows because
T38FaxMaxDatagram is set to 1000 in udptl.conf. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-02-11 11:51 schern         Note Added: 0099909                          
======================================================================

More information about the asterisk-bugs mailing list