[asterisk-bugs] [JIRA] (ASTERISK-21205) dundi_read_result crash
Jaco Kroon (JIRA)
noreply at issues.asterisk.org
Tue Mar 5 07:24:01 CST 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21205?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jaco Kroon updated ASTERISK-21205:
----------------------------------
Attachment: asterisk-11.2.1-dundi-segfault-on-fail.patch
This is my proposed fix. Whilst num_results was previously unsigned I've now converted it to signed in order to correctly catch the error condition. I've audited all uses of num_results and made some other ammendments. The original cause of the crash was a simple comparison against >0, since dundi_lookup_internal returns -1 or -2 on error, storing that as an unsigned value results in a large positive number, obviously >0, resulting in a sort of a NULL array, resulting in a crash.
Not sure how to actually *trigger* the segfault, but since the one DC one of our servers is hosted in had a router problem I'm guessing a "no response" from the peer might trigger this.
> dundi_read_result crash
> -----------------------
>
> Key: ASTERISK-21205
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21205
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: PBX/pbx_dundi
> Affects Versions: 11.2.1
> Environment: gentoo linux
> kernel 3.7.3
> Reporter: Jaco Kroon
> Severity: Critical
> Attachments: asterisk-11.2.1-dundi-segfault-on-fail.patch
>
>
> Should dundi_lookup_internal return a negative number then so will dundi_lookup, which usually gets assigned to num_results, which is an unsigned int. Later when sorting this number is taken "as is", which then results in an out-of-bounds situation and a segfault (usually).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list