[asterisk-bugs] [JIRA] (ASTERISK-21205) dundi_read_result crash

Jaco Kroon (JIRA) noreply at issues.asterisk.org
Tue Mar 5 07:24:01 CST 2013 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-21205?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jaco Kroon updated ASTERISK-21205:
----------------------------------

    Attachment: asterisk-11.2.1-dundi-segfault-on-fail.patch

This is my proposed fix.  Whilst num_results was previously unsigned I've now converted it to signed in order to correctly catch the error condition.  I've audited all uses of num_results and made some other ammendments.  The original cause of the crash was a simple comparison against >0, since dundi_lookup_internal returns -1 or -2 on error, storing that as an unsigned value results in a large positive number, obviously >0, resulting in a sort of a NULL array, resulting in a crash.

Not sure how to actually *trigger* the segfault, but since the one DC one of our servers is hosted in had a router problem I'm guessing a "no response" from the peer might trigger this.
                
> dundi_read_result crash
> -----------------------
>
>                 Key: ASTERISK-21205
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21205
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: PBX/pbx_dundi
>    Affects Versions: 11.2.1
>         Environment: gentoo linux
> kernel 3.7.3
>            Reporter: Jaco Kroon
>            Severity: Critical
>         Attachments: asterisk-11.2.1-dundi-segfault-on-fail.patch
>
>
> Should dundi_lookup_internal return a negative number then so will dundi_lookup, which usually gets assigned to num_results, which is an unsigned int.  Later when sorting this number is taken "as is", which then results in an out-of-bounds situation and a segfault (usually).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list