[asterisk-bugs] [Asterisk 0016058]: [patch] Crash in local_ast_moh_start / ast_indicate_data due to AST_CONTROL_HOLD with bad pointer
Asterisk Bug Tracker
noreply at bugs.digium.com
Wed Mar 17 03:51:46 CDT 2010
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=16058
======================================================================
Reported By: atis
Assigned To: jpeeler
======================================================================
Project: Asterisk
Issue ID: 16058
Category: Channels/General
Reproducibility: have not tried
Severity: crash
Priority: normal
Status: assigned
Target Version: 1.6.1.19
Asterisk Version: SVN
JIRA:
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2009-10-12 08:24 CDT
Last Modified: 2010-03-17 03:51 CDT
======================================================================
Summary: [patch] Crash in local_ast_moh_start /
ast_indicate_data due to AST_CONTROL_HOLD with bad pointer
Description:
I got the following backtrace:
Program terminated with signal 11, Segmentation fault.
# 0 0x00002aaab13265d0 in local_ast_moh_start (chan=0x2aaac82fad98,
mclass=0xc8196c58 <Address 0xc8196c58 out of bounds>, interpclass=0xc4c1db
"default") at
/export/storage0/dist/1.6.1_p1/asterisk-svn-1.6.1.6-iqlabs/include/asterisk/strings.h:50
50 return (!s || (*s == '\0'));
# 0 0x00002aaab13265d0 in local_ast_moh_start (chan=0x2aaac82fad98,
mclass=0xc8196c58 <Address 0xc8196c58 out of bounds>, interpclass=0xc4c1db
"default") at
/export/storage0/dist/1.6.1_p1/asterisk-svn-1.6.1.6-iqlabs/include/asterisk/strings.h:50
# 1 0x000000000046b106 in ast_moh_start (chan=0x2aaac82fad98,
mclass=0xc8196c58 <Address 0xc8196c58 out of bounds>, interpclass=0xc4c1db
"default") at channel.c:5625
# 2 0x00002aaab8e1ad84 in sip_indicate (ast=0x2aaac82fad98, condition=16,
data=0xc8196c58, datalen=0) at chan_sip.c:5794
# 3 0x000000000045f40c in ast_indicate_data (chan=0x2aaac82fad98,
_condition=16, data=0xc8196c58, datalen=0) at channel.c:3113
# 4 0x0000000000467171 in ast_generic_bridge (c0=0xaa7638,
c1=0x2aaac82fad98, config=0x40c90c00, fo=0x40c8fd28, rc=0x40c8fd20,
bridge_end={tv_sec = 1255274833, tv_usec = 81777}) at channel.c:4902
After investigating closer in frame 4 i found that:
f->datalen = 0
f->data.ptr = (void *) 0xc8196c58 (which is out of bounds in
ast_strlen_zero)
f->frametype = AST_FRAME_CONTROL
f->subclass = 16 (AST_CONTROL_HOLD)
So, apparently something generates wrong HOLD frame with datalength 0 but
invalid pointer.
Full backtrace attached
======================================================================
----------------------------------------------------------------------
(0119496) wuwu (reporter) - 2010-03-17 03:51
https://issues.asterisk.org/view.php?id=16058#c119496
----------------------------------------------------------------------
I was having version 1.6.2.2 running - this version did already have
the patch included to avoid this bug. And it was working fine - i
never had the same problem again. But in 1.6.2.2 transfer is not
working anymore - so i needed to upgrade to 1.6.2.3-rc2.
But with 1.6.2.3-rc2 the above bug is back - so there must be another
source for this problem.
I have now 1.6.2.3-rc2 running - with the frame_datalen.patch applied to
get the debugging output. And i have compiled it without optimization in
dev mode. Problem now is - it is not crashing anymore ;-)
I now get lots of these messages....
[Mar 17 09:49:16] WARNING[12065]: channel.c:3065 __ast_read: Found frame
with datalen=0 but initialized data pointer:
<< [ TYPE: Control (4) SUBCLASS: Unknown control '15' (15) ]
[IAX2/tel01pica02-20225]
Issue History
Date Modified Username Field Change
======================================================================
2010-03-17 03:51 wuwu Note Added: 0119496
======================================================================
More information about the asterisk-bugs
mailing list