[asterisk-bugs] [Asterisk 0019072]: crash in ast_frdup with oversized udptl frame
Asterisk Bug Tracker
noreply at bugs.digium.com
Mon May 23 08:04:03 CDT 2011
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=19072
======================================================================
Reported By: vrban
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 19072
Category: Channels/chan_sip/T.38
Reproducibility: unable to reproduce
Severity: crash
Priority: normal
Status: acknowledged
Asterisk Version: 1.4.40
JIRA: SWP-3309
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2011-04-06 06:05 CDT
Last Modified: 2011-05-23 08:04 CDT
======================================================================
Summary: crash in ast_frdup with oversized udptl frame
Description:
a crash, see gdb_output.txt
noticeable is the oversized datalen:
$2 = {frametype = AST_FRAME_MODEM, subclass = 1, datalen = 79109792,
samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0,
src = 0x4e05fe "UDPTL", data = 0x4b71e98, delivery = {tv_sec = 0,
tv_usec = 0}, frame_list = {next = 0x54a0368}, flags = 0, ts = 0, len = 0,
seqno = 33223}
======================================================================
----------------------------------------------------------------------
(0135247) vrban (reporter) - 2011-05-23 08:04
https://issues.asterisk.org/view.php?id=19072#c135247
----------------------------------------------------------------------
meanwhile i had the third core with this issue. See gdb2.txt
the last two times, it crash at the memcpy in udptl_build_packet in
udptl.c
again with oversized datalen:
(gdb) print *frame
$3 = {frametype = AST_FRAME_MODEM, subclass = 1, datalen = 876294195,
samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0,
src = 0x4e091e "UDPTL", data = 0x7f228b46f11b, delivery = {tv_sec = 0,
tv_usec = 0}, frame_list = {next = 0x0}, flags = 0, ts = 0, len = 0,
seqno = 32776}
i suspect changeset 308413 because it deal with the datalen, and i dont
remember this type of crash in older 1.4 version before changeset 308413.
Perhaps mnicholson should take a look. He made the change. And very
probably it's not and 1.4 issues only. Because the udptl.c source is almost
1:1 in every asterisk version.
Issue History
Date Modified Username Field Change
======================================================================
2011-05-23 08:04 vrban Note Added: 0135247
======================================================================
More information about the asterisk-bugs
mailing list