[asterisk-bugs] [JIRA] (ASTERISK-22432) Async AGI crashes Asterisk when issuing "set variable" command without args

Michael L. Young (JIRA) noreply at issues.asterisk.org
Sat Aug 31 08:33:03 CDT 2013 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-22432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael L. Young updated ASTERISK-22432:
----------------------------------------

    Description: 
Banner is the following:
11.5.0+pf.xivo.13.16~20130722.141054.2668289,

Actions to reproduce: open an AMI session using telnet, trigger an async AGI session and then type:
{noformat}
action: agi
actionid: FOOBAR.568
CommandID: 124
command: set variable
Channel: <AGI channel name>

Response: Success
ActionID: FOOBAR.568
Message: Added AGI command to queue
{noformat}

At this point Asterisk crashes (the AMI connection is closed).

{noformat}
gdb stack trace:
(gdb) bt
#0  0xb767e073 in strlen () from /lib/libc.so.6
#1  0x0818c754 in pbx_builtin_setvar_helper ()
#2  0xb6e87b57 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#3  0xb6e8d053 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#4  0xb6e8f7dd in ?? () from /usr/lib/asterisk/modules/res_agi.so
#5  0x08184eca in pbx_exec ()
#6  0x081916a6 in ?? ()
#7  0x08199087 in ?? ()
#8  0x0819b390 in ?? ()
#9  0x081e222b in ?? ()
#10 0xb72937b0 in start_thread () from /lib/libpthread.so.0
#11 0xb76d6cde in clone () from /lib/libc.so.6
{noformat}

I've made a SVN checkout of Asterisk and identified the likely cause of the problem:

in res/res_agi.c, handle_setvariable() calls pbx_builtin_setvar_helper(chan, argv[2], argv[3]).
However, if "set variable" is called with too few arguments, argv[2] and argv[3] may be unitialized.
Then pbx_builtin_setvar_helper() calls strlen(argv[2]) and crashes.


  was:
Banner is the following:
11.5.0+pf.xivo.13.16~20130722.141054.2668289,

Actions to reproduce: open an AMI session using telnet, trigger an async AGI session and then type:

action: agi
actionid: FOOBAR.568
CommandID: 124
command: set variable
Channel: <AGI channel name>

Response: Success
ActionID: FOOBAR.568
Message: Added AGI command to queue


At this point Asterisk crashes (the AMI connection is closed).


gdb stack trace:
(gdb) bt
#0  0xb767e073 in strlen () from /lib/libc.so.6
#1  0x0818c754 in pbx_builtin_setvar_helper ()
#2  0xb6e87b57 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#3  0xb6e8d053 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#4  0xb6e8f7dd in ?? () from /usr/lib/asterisk/modules/res_agi.so
#5  0x08184eca in pbx_exec ()
#6  0x081916a6 in ?? ()
#7  0x08199087 in ?? ()
#8  0x0819b390 in ?? ()
#9  0x081e222b in ?? ()
#10 0xb72937b0 in start_thread () from /lib/libpthread.so.0
#11 0xb76d6cde in clone () from /lib/libc.so.6


I've made a SVN checkout of Asterisk and identified the likely cause of the problem:

in res/res_agi.c, handle_setvariable() calls pbx_builtin_setvar_helper(chan, argv[2], argv[3]).
However, if "set variable" is called with too few arguments, argv[2] and argv[3] may be unitialized.
Then pbx_builtin_setvar_helper() calls strlen(argv[2]) and crashes.


    
> Async AGI crashes Asterisk when issuing "set variable" command without args
> ---------------------------------------------------------------------------
>
>                 Key: ASTERISK-22432
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22432
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_agi
>         Environment: Fresh install of squeeze-xivo-skaro-13.16.iso
>            Reporter: Antoine Pitrou
>
> Banner is the following:
> 11.5.0+pf.xivo.13.16~20130722.141054.2668289,
> Actions to reproduce: open an AMI session using telnet, trigger an async AGI session and then type:
> {noformat}
> action: agi
> actionid: FOOBAR.568
> CommandID: 124
> command: set variable
> Channel: <AGI channel name>
> Response: Success
> ActionID: FOOBAR.568
> Message: Added AGI command to queue
> {noformat}
> At this point Asterisk crashes (the AMI connection is closed).
> {noformat}
> gdb stack trace:
> (gdb) bt
> #0  0xb767e073 in strlen () from /lib/libc.so.6
> #1  0x0818c754 in pbx_builtin_setvar_helper ()
> #2  0xb6e87b57 in ?? () from /usr/lib/asterisk/modules/res_agi.so
> #3  0xb6e8d053 in ?? () from /usr/lib/asterisk/modules/res_agi.so
> #4  0xb6e8f7dd in ?? () from /usr/lib/asterisk/modules/res_agi.so
> #5  0x08184eca in pbx_exec ()
> #6  0x081916a6 in ?? ()
> #7  0x08199087 in ?? ()
> #8  0x0819b390 in ?? ()
> #9  0x081e222b in ?? ()
> #10 0xb72937b0 in start_thread () from /lib/libpthread.so.0
> #11 0xb76d6cde in clone () from /lib/libc.so.6
> {noformat}
> I've made a SVN checkout of Asterisk and identified the likely cause of the problem:
> in res/res_agi.c, handle_setvariable() calls pbx_builtin_setvar_helper(chan, argv[2], argv[3]).
> However, if "set variable" is called with too few arguments, argv[2] and argv[3] may be unitialized.
> Then pbx_builtin_setvar_helper() calls strlen(argv[2]) and crashes.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list