[asterisk-bugs] [Asterisk 0014086]: Address out of bounds in queue_log using transfer

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Jan 14 13:07:28 CST 2009


A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=14086 
====================================================================== 
Reported By:                ZX81
Assigned To:                putnopvut
====================================================================== 
Project:                    Asterisk
Issue ID:                   14086
Category:                   Applications/app_queue
Reproducibility:            random
Severity:                   crash
Priority:                   normal
Status:                     ready for testing
Target Version:             1.4.23
Asterisk Version:           SVN 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases):  1.4  
SVN Revision (number only!): 131480 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-12-15 20:31 CST
Last Modified:              2009-01-14 13:07 CST
====================================================================== 
Summary:                    Address out of bounds in queue_log using transfer
Description: 
This system has been up without problems for around 100 days until this
week at which stage it has crashed twice:

http://bugs.digium.com/view.php?id=0  0xb7dcd463 in strlen () from
/lib/tls/i686/cmov/libc.so.6
http://bugs.digium.com/view.php?id=1  0xb7da1164 in vfprintf () from
/lib/tls/i686/cmov/libc.so.6
http://bugs.digium.com/view.php?id=2  0xb7da62e2 in fprintf () from
/lib/tls/i686/cmov/libc.so.6
http://bugs.digium.com/view.php?id=3  0x080aff57 in ast_queue_log
(queuename=0x18 <Address 0x18 out of
bounds>, callid=0xb7e8 <Address 0xb7e8 out of bounds>, 
    agent=0x8cfd518 "SIP/8780", event=0xb749ffee "TRANSFER",
fmt=0xb749ffe0 "%s|%s|%ld|%ld") at logger.c:359
http://bugs.digium.com/view.php?id=4  0xb7491933 in queue_transfer_fixup
(data=0x8c9bf90,
old_chan=0xb5fbb868, new_chan=0xb5f9fef0) at app_queue.c:2582
http://bugs.digium.com/view.php?id=5  0x0808428d in ast_do_masquerade
(original=0xb5f9fef0) at
channel.c:3537
http://bugs.digium.com/view.php?id=6  0x080867d9 in __ast_read (chan=0xb5f9fef0,
dropaudio=0) at
channel.c:1971
http://bugs.digium.com/view.php?id=7  0x08089822 in ast_channel_bridge
(c0=0xb5f9fef0, c1=0xb5f9fef0,
config=0xb6af8e7c, fo=0xb6af7f88, rc=0xb6af7f84)
    at channel.c:2366
http://bugs.digium.com/view.php?id=8  0xb7c5659d in ast_bridge_call
(chan=0xb5f9fef0, peer=0x8d830c0,
config=0xb6af8e7c) at res_features.c:1486
http://bugs.digium.com/view.php?id=9  0xb7b4d37d in dial_exec_full
(chan=0xb5f9fef0, data=<value optimized
out>, peerflags=0xb6af8f44, continue_exec=0x0)
    at app_dial.c:1775
http://bugs.digium.com/view.php?id=10 0xb7b4d7e2 in dial_exec (chan=0xb5f9fef0,
data=0xb6afafb8) at
app_dial.c:1829
http://bugs.digium.com/view.php?id=11 0x080cd947 in pbx_extension_helper
(c=0xb5f9fef0, con=0x0,
context=0xb5fa0070 "internal", exten=0xb5fa00c0 "10800226440", 
    priority=1, label=0x0, callerid=0xb678e7d0 "8721", action=E_SPAWN) at
pbx.c:537
http://bugs.digium.com/view.php?id=12 0x080cf931 in __ast_pbx_run (c=0xb5f9fef0)
at pbx.c:2317
http://bugs.digium.com/view.php?id=13 0x080d098e in pbx_thread (data=0xb5f9fef0)
at pbx.c:2621
http://bugs.digium.com/view.php?id=14 0x080ff5d0 in dummy_start
(data=0xb64b1070) at utils.c:912
http://bugs.digium.com/view.php?id=15 0xb7f12240 in start_thread () from
/lib/tls/i686/cmov/libpthread.so.0
http://bugs.digium.com/view.php?id=16 0xb7e2d49e in clone () from
/lib/tls/i686/cmov/libc.so.6

and

http://bugs.digium.com/view.php?id=0  0xb7ddb43b in strlen () from
/lib/tls/i686/cmov/libc.so.6
http://bugs.digium.com/view.php?id=1  0xb7daf164 in vfprintf () from
/lib/tls/i686/cmov/libc.so.6
http://bugs.digium.com/view.php?id=2  0xb7db42e2 in fprintf () from
/lib/tls/i686/cmov/libc.so.6
http://bugs.digium.com/view.php?id=3  0x080aff57 in ast_queue_log
(queuename=0x20c62e <Address 0x20c62e out
of bounds>, 
    callid=0x493ece85 <Address 0x493ece85 out of bounds>, agent=0xcd87eb0
"SIP/8846", event=0xb74e9fee "TRANSFER", 
    fmt=0xb74e9fe0 "%s|%s|%ld|%ld") at logger.c:359
http://bugs.digium.com/view.php?id=4  0xb74db933 in queue_transfer_fixup
(data=0xd2b21b0,
old_chan=0xdc9d218, new_chan=0xdc73aa8) at app_queue.c:2582
http://bugs.digium.com/view.php?id=5  0x0808428d in ast_do_masquerade
(original=0xdc73aa8) at
channel.c:3537
http://bugs.digium.com/view.php?id=6  0x080867d9 in __ast_read (chan=0xdc73aa8,
dropaudio=0) at
channel.c:1971
http://bugs.digium.com/view.php?id=7  0x08089822 in ast_channel_bridge
(c0=0xdc73aa8, c1=0xdc73aa8,
config=0xb4efae7c, fo=0xb4ef9fa8, rc=0xb4ef9fa4)
    at channel.c:2366
http://bugs.digium.com/view.php?id=8  0xb7c6459d in ast_bridge_call
(chan=0xdc73aa8, peer=0xdc79a50,
config=0xb4efae7c) at res_features.c:1486
http://bugs.digium.com/view.php?id=9  0xb7b9737d in dial_exec_full
(chan=0xdc73aa8, data=<value optimized
out>, peerflags=0xb4efaf44, continue_exec=0x0)
    at app_dial.c:1775
http://bugs.digium.com/view.php?id=10 0xb7b977e2 in dial_exec (chan=0xdc73aa8,
data=0xb4efcfb8) at
app_dial.c:1829
http://bugs.digium.com/view.php?id=11 0x080cd947 in pbx_extension_helper
(c=0xdc73aa8, con=0x0,
context=0xdc73c28 "internal", exten=0xdc73c78 "5765", priority=1, 
    label=0x0, callerid=0xdc00e90 "8897", action=E_SPAWN) at pbx.c:537
http://bugs.digium.com/view.php?id=12 0x080cf931 in __ast_pbx_run (c=0xdc73aa8)
at pbx.c:2317
http://bugs.digium.com/view.php?id=13 0x080d098e in pbx_thread (data=0xdc73aa8)
at pbx.c:2621
http://bugs.digium.com/view.php?id=14 0x080ff5d0 in dummy_start (data=0x91d8e50)
at utils.c:912
http://bugs.digium.com/view.php?id=15 0xb7f20240 in start_thread () from
/lib/tls/i686/cmov/libpthread.so.0
http://bugs.digium.com/view.php?id=16 0xb7e3b49e in clone () from
/lib/tls/i686/cmov/libc.so.6

======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
related to          0014060 [patch] Astrerisk crashes using the app...
====================================================================== 

---------------------------------------------------------------------- 
 (0097767) nivek (reporter) - 2009-01-14 13:07
 http://bugs.digium.com/view.php?id=14086#c97767 
---------------------------------------------------------------------- 
Here is from valgrind.txt that last line basically repeats itself.


==22682==    by 0x458C6432: start_thread (in /lib/libpthread-2.4.so)
==22682==    by 0x457B4A1D: clone (in /lib/libc-2.4.so)
==22682==  Address 0x4DE0F04 is 108 bytes inside a block of size 128
free'd
==22682==    at 0x4004E41: free (vg_replace_malloc.c:235)
==22682==    by 0x807447C: __ast_free_region (astmm.c:187)
==22682==    by 0x8074E6E: __ast_free (astmm.c:221)
==22682==    by 0x8089DF0: ast_channel_datastore_free (channel.c:1334)
==22682==    by 0x46165BD: ??? (app_queue.c:3493)
==22682==    by 0x4619BB7: ??? (app_queue.c:4325)
==22682==    by 0x80D414C: pbx_exec (pbx.c:537)
==22682==    by 0x80D7ED1: pbx_extension_helper (pbx.c:1862)
==22682==    by 0x80D925E: ast_spawn_extension (pbx.c:2317)
==22682==    by 0x80D96A6: __ast_pbx_run (pbx.c:2406)
==22682==    by 0x80DA4B9: pbx_thread (pbx.c:2621)
==22682==    by 0x811E29F: dummy_start (utils.c:912)
==22682==
==22682== Invalid read of size 4
==22682==    at 0x8089D9A: ast_channel_datastore_free (channel.c:1328)
==22682==    by 0x80894C9: ast_channel_free (channel.c:1224)
==22682==    by 0x808A7C0: ast_hangup (channel.c:1536)
==22682==    by 0x80DA251: __ast_pbx_run (pbx.c:2561)
==22682==    by 0x80DA4B9: pbx_thread (pbx.c:2621)
==22682==    by 0x811E29F: dummy_start (utils.c:912)
==22682==    by 0x458C6432: start_thread (in /lib/libpthread-2.4.so)
==22682==    by 0x457B4A1D: clone (in /lib/libc-2.4.so)
==22682==  Address 0x4DE0F00 is 104 bytes inside a block of size 128
free'd
==22682==    at 0x4004E41: free (vg_replace_malloc.c:235)
==22682==    by 0x807447C: __ast_free_region (astmm.c:187)
==22682==    by 0x8074E6E: __ast_free (astmm.c:221)
==22682==    by 0x8089DF0: ast_channel_datastore_free (channel.c:1334)
==22682==    by 0x46165BD: ??? (app_queue.c:3493)
==22682==    by 0x4619BB7: ??? (app_queue.c:4325)
==22682==    by 0x80D414C: pbx_exec (pbx.c:537)
==22682==    by 0x80D7ED1: pbx_extension_helper (pbx.c:1862)
==22682==    by 0x80D925E: ast_spawn_extension (pbx.c:2317)
==22682==    by 0x80D96A6: __ast_pbx_run (pbx.c:2406)
==22682==    by 0x80DA4B9: pbx_thread (pbx.c:2621)
==22682==    by 0x811E29F: dummy_start (utils.c:912)
==22793== Warning: invalid file descriptor 1014 in syscall close()
==22793== Warning: invalid file descriptor 1015 in syscall close()
==22793== Warning: invalid file descriptor 1016 in syscall close()
==22793== Warning: invalid file descriptor 1017 in syscall close() 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-01-14 13:07 nivek          Note Added: 0097767                          
======================================================================




More information about the asterisk-bugs mailing list