[asterisk-bugs] [JIRA] (ASTERISK-22432) Async AGI crashes Asterisk when issuing "set variable" command without args
Michael L. Young (JIRA)
noreply at issues.asterisk.org
Sat Aug 31 08:33:03 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-22432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael L. Young updated ASTERISK-22432:
----------------------------------------
Description:
Banner is the following:
11.5.0+pf.xivo.13.16~20130722.141054.2668289,
Actions to reproduce: open an AMI session using telnet, trigger an async AGI session and then type:
{noformat}
action: agi
actionid: FOOBAR.568
CommandID: 124
command: set variable
Channel: <AGI channel name>
Response: Success
ActionID: FOOBAR.568
Message: Added AGI command to queue
{noformat}
At this point Asterisk crashes (the AMI connection is closed).
{noformat}
gdb stack trace:
(gdb) bt
#0 0xb767e073 in strlen () from /lib/libc.so.6
#1 0x0818c754 in pbx_builtin_setvar_helper ()
#2 0xb6e87b57 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#3 0xb6e8d053 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#4 0xb6e8f7dd in ?? () from /usr/lib/asterisk/modules/res_agi.so
#5 0x08184eca in pbx_exec ()
#6 0x081916a6 in ?? ()
#7 0x08199087 in ?? ()
#8 0x0819b390 in ?? ()
#9 0x081e222b in ?? ()
#10 0xb72937b0 in start_thread () from /lib/libpthread.so.0
#11 0xb76d6cde in clone () from /lib/libc.so.6
{noformat}
I've made a SVN checkout of Asterisk and identified the likely cause of the problem:
in res/res_agi.c, handle_setvariable() calls pbx_builtin_setvar_helper(chan, argv[2], argv[3]).
However, if "set variable" is called with too few arguments, argv[2] and argv[3] may be unitialized.
Then pbx_builtin_setvar_helper() calls strlen(argv[2]) and crashes.
was:
Banner is the following:
11.5.0+pf.xivo.13.16~20130722.141054.2668289,
Actions to reproduce: open an AMI session using telnet, trigger an async AGI session and then type:
action: agi
actionid: FOOBAR.568
CommandID: 124
command: set variable
Channel: <AGI channel name>
Response: Success
ActionID: FOOBAR.568
Message: Added AGI command to queue
At this point Asterisk crashes (the AMI connection is closed).
gdb stack trace:
(gdb) bt
#0 0xb767e073 in strlen () from /lib/libc.so.6
#1 0x0818c754 in pbx_builtin_setvar_helper ()
#2 0xb6e87b57 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#3 0xb6e8d053 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#4 0xb6e8f7dd in ?? () from /usr/lib/asterisk/modules/res_agi.so
#5 0x08184eca in pbx_exec ()
#6 0x081916a6 in ?? ()
#7 0x08199087 in ?? ()
#8 0x0819b390 in ?? ()
#9 0x081e222b in ?? ()
#10 0xb72937b0 in start_thread () from /lib/libpthread.so.0
#11 0xb76d6cde in clone () from /lib/libc.so.6
I've made a SVN checkout of Asterisk and identified the likely cause of the problem:
in res/res_agi.c, handle_setvariable() calls pbx_builtin_setvar_helper(chan, argv[2], argv[3]).
However, if "set variable" is called with too few arguments, argv[2] and argv[3] may be unitialized.
Then pbx_builtin_setvar_helper() calls strlen(argv[2]) and crashes.
> Async AGI crashes Asterisk when issuing "set variable" command without args
> ---------------------------------------------------------------------------
>
> Key: ASTERISK-22432
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-22432
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_agi
> Environment: Fresh install of squeeze-xivo-skaro-13.16.iso
> Reporter: Antoine Pitrou
>
> Banner is the following:
> 11.5.0+pf.xivo.13.16~20130722.141054.2668289,
> Actions to reproduce: open an AMI session using telnet, trigger an async AGI session and then type:
> {noformat}
> action: agi
> actionid: FOOBAR.568
> CommandID: 124
> command: set variable
> Channel: <AGI channel name>
> Response: Success
> ActionID: FOOBAR.568
> Message: Added AGI command to queue
> {noformat}
> At this point Asterisk crashes (the AMI connection is closed).
> {noformat}
> gdb stack trace:
> (gdb) bt
> #0 0xb767e073 in strlen () from /lib/libc.so.6
> #1 0x0818c754 in pbx_builtin_setvar_helper ()
> #2 0xb6e87b57 in ?? () from /usr/lib/asterisk/modules/res_agi.so
> #3 0xb6e8d053 in ?? () from /usr/lib/asterisk/modules/res_agi.so
> #4 0xb6e8f7dd in ?? () from /usr/lib/asterisk/modules/res_agi.so
> #5 0x08184eca in pbx_exec ()
> #6 0x081916a6 in ?? ()
> #7 0x08199087 in ?? ()
> #8 0x0819b390 in ?? ()
> #9 0x081e222b in ?? ()
> #10 0xb72937b0 in start_thread () from /lib/libpthread.so.0
> #11 0xb76d6cde in clone () from /lib/libc.so.6
> {noformat}
> I've made a SVN checkout of Asterisk and identified the likely cause of the problem:
> in res/res_agi.c, handle_setvariable() calls pbx_builtin_setvar_helper(chan, argv[2], argv[3]).
> However, if "set variable" is called with too few arguments, argv[2] and argv[3] may be unitialized.
> Then pbx_builtin_setvar_helper() calls strlen(argv[2]) and crashes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list