[asterisk-bugs] [Asterisk 0017590]: Crash when freeing buffer in update_curl

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Jul 8 10:22:39 CDT 2010 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17590 
====================================================================== 
Reported By:                atis
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17590
Category:                   Resources/res_config_curl
Reproducibility:            have not tried
Severity:                   crash
Priority:                   normal
Status:                     feedback
Asterisk Version:           SVN 
JIRA:                       SWP-1822 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-07-06 08:54 CDT
Last Modified:              2010-07-08 10:22 CDT
====================================================================== 
Summary:                    Crash when freeing buffer in update_curl
Description: 
free(buffer) causes crash with signal 6 Aborted.

HTTP message is clearly wrong, as it contains PHP error, but this
shouldn't crash asterisk.

        bufsize = 100
        buffer = 0x937c060 "1<br />\n<b>Fatal error</b>:  Call to
undefined function ast_sip_prune_rt() in <b>/opt/voip/web/curl_"
        __PRETTY_FUNCTION__ = "update_curl"

====================================================================== 

---------------------------------------------------------------------- 
 (0124355) atis (reporter) - 2010-07-08 10:22
 https://issues.asterisk.org/view.php?id=17590#c124355 
---------------------------------------------------------------------- 
I'm still testing to see if it would crash under valgrind, but this could
be related:

==20536== Thread 9:
==20536== Invalid write of size 1
==20536==    at 0x8100B4F: pbx_substitute_variables_helper_full
(pbx.c:3534)
==20536==    by 0x8100E61: pbx_substitute_variables_helper (pbx.c:3601)
==20536==    by 0x46449C1: update_curl (res_config_curl.c:261)
==20536==    by 0x80AF3D9: ast_update_realtime (config.c:2226)
==20536==    by 0x4B82950: realtime_update_peer (chan_sip.c:4571)
==20536==    by 0x4B8320B: update_peer (chan_sip.c:4702)
==20536==    by 0x4BAAFC8: register_verify (chan_sip.c:13051)
==20536==    by 0x4BD46B5: handle_request_register (chan_sip.c:21509)
==20536==    by 0x4BD5580: handle_incoming (chan_sip.c:21726)
==20536==    by 0x4BD6502: handle_request_do (chan_sip.c:22014)
==20536==    by 0x4BD5DFE: sipsock_read (chan_sip.c:21908)
==20536==    by 0x80E30A8: ast_io_wait (io.c:288)
==20536==  Address 0x4CBCA34 is 0 bytes after a block of size 100 alloc'd
==20536==    at 0x4022525: malloc (vg_replace_malloc.c:149)
==20536==    by 0x81558F4: _ast_malloc (utils.h:439)
==20536==    by 0x46447F9: update_curl (res_config_curl.c:243)
==20536==    by 0x80AF3D9: ast_update_realtime (config.c:2226)
==20536==    by 0x4B82950: realtime_update_peer (chan_sip.c:4571)
==20536==    by 0x4B8320B: update_peer (chan_sip.c:4702)
==20536==    by 0x4BAAFC8: register_verify (chan_sip.c:13051)
==20536==    by 0x4BD46B5: handle_request_register (chan_sip.c:21509)
==20536==    by 0x4BD5580: handle_incoming (chan_sip.c:21726)
==20536==    by 0x4BD6502: handle_request_do (chan_sip.c:22014)
==20536==    by 0x4BD5DFE: sipsock_read (chan_sip.c:21908)
==20536==    by 0x80E30A8: ast_io_wait (io.c:288)
==20536== 
==20536== Invalid read of size 1
==20536==    at 0x4023733: rawmemchr (mc_replace_strmem.c:547)
==20536==    by 0x4251F65: _IO_str_init_static_internal (in
/lib/libc-2.7.so)
==20536==    by 0x42460A2: vsscanf (in /lib/libc-2.7.so)
==20536==    by 0x4240DAD: sscanf (in /lib/libc-2.7.so)
==20536==    by 0x46449F6: update_curl (res_config_curl.c:267)
==20536==    by 0x80AF3D9: ast_update_realtime (config.c:2226)
==20536==    by 0x4B82950: realtime_update_peer (chan_sip.c:4571)
==20536==    by 0x4B8320B: update_peer (chan_sip.c:4702)
==20536==    by 0x4BAAFC8: register_verify (chan_sip.c:13051)
==20536==    by 0x4BD46B5: handle_request_register (chan_sip.c:21509)
==20536==    by 0x4BD5580: handle_incoming (chan_sip.c:21726)
==20536==    by 0x4BD6502: handle_request_do (chan_sip.c:22014)
==20536==  Address 0x4CBCA34 is 0 bytes after a block of size 100 alloc'd
==20536==    at 0x4022525: malloc (vg_replace_malloc.c:149)
==20536==    by 0x81558F4: _ast_malloc (utils.h:439)
==20536==    by 0x46447F9: update_curl (res_config_curl.c:243)
==20536==    by 0x80AF3D9: ast_update_realtime (config.c:2226)
==20536==    by 0x4B82950: realtime_update_peer (chan_sip.c:4571)
==20536==    by 0x4B8320B: update_peer (chan_sip.c:4702)
==20536==    by 0x4BAAFC8: register_verify (chan_sip.c:13051)
==20536==    by 0x4BD46B5: handle_request_register (chan_sip.c:21509)
==20536==    by 0x4BD5580: handle_incoming (chan_sip.c:21726)
==20536==    by 0x4BD6502: handle_request_do (chan_sip.c:22014)
==20536==    by 0x4BD5DFE: sipsock_read (chan_sip.c:21908)
==20536==    by 0x80E30A8: ast_io_wait (io.c:288) 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-07-08 10:22 atis           Note Added: 0124355                          
======================================================================

More information about the asterisk-bugs mailing list