[asterisk-bugs] [JIRA] (ASTERISK-24258) Segmentation fault in ast_variable_update when using app_voicemail.

Steven T. Wheeler (JIRA) noreply at issues.asterisk.org
Thu Aug 21 16:03:29 CDT 2014 

Steven T. Wheeler created ASTERISK-24258:
--------------------------------------------

             Summary: Segmentation fault in ast_variable_update when using app_voicemail.
                 Key: ASTERISK-24258
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24258
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Applications/app_voicemail, Core/General
    Affects Versions: 1.8.21.0
         Environment: CentOS 6.4
            Reporter: Steven T. Wheeler


One of our 1.8.21 servers experienced a segmentation fault while a user was checking their voicemail using app_voicemail. I believe that the segfault happened in {{ast_variable_update}} because the {{category}} variable was null.

In the GDB output you can see that the {{msg_cat}} variable is null. Which is then passed into {{ast_variable_update}}. I don't know enough about the Asterisk source to know if that is a valid value, perhaps a call to {{ast_category_exist}} should happen first? Or maybe we should check for a null value?

GDB Output:
{noformat}
(gdb) bt full
#0  ast_variable_update (category=0x0, variable=0x7fc585c74fce "duration", value=0x7fc57f700980 "19", match=0x0, object=0) at config.c:911
        cur = <value optimized out>
        prev = 0x0
        newer = 0x0
#1  0x00007fc585c6ef4d in vm_forwardoptions (chan=0x7fc574d66788, context=0x7fc57f700c50 "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX", vms=0x7fc57f700b60, sender=0x7fc57f707c80,
    is_new_message=2138020224, record_gain=0 '\000', urgent=0, fmt=0x7fc585e7f300 "wav49|gsm|wav") at app_voicemail.c:6981
        msg_cat = 0x0
        duration_buf = "19\000\177\305\177\000\000\215\307q", <incomplete sequence \315>
        msgfile = "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX/msg0000", '\000' <repeats 3013 times>"\220, \274o\177\305\177\000\000\200\274o\177\305\177\000\000\000\000\000\000\000\000\000\000@\276o\177\305\177\000\000\000OY\000\000\000\000\000'\244o\315\305\177\000\000\000OY", '\000' <repeats 13 times>"\205, [\005p\304\177", '\000' <repeats 42 times>, "p\273o\177\305\177\000\000\000\000\000\000\000\000\000\000\376NY", '\000' <repeats 29 times>, "ܻo\177\305\177\000\000\370\273o\177\305\177\000\000\000\000\000\000\000\000\000\000\030\274o\177\305\177", '\000' <repeats 58 times>...
        cmd = 116
        retries = 0
        prepend_duration = 19
        backup_textfile = "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX/msg0000-bak.txt", '\000' <repeats 4012 times>
        textfile = "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX/msg0000.txt\000 at zo\177\305\177\000\000\000\000\000\000\000\000\000\000 \001\000\000\000\000\000\000 \001\000\000\000\000\000\000P}o\177\305\177", '\000' <repeats 18 times>"\224, \002Y\000\000\000\000\000\030\000\000\000\060\000\000\000 ~o\177\305\177\000\000`}o\177\305\177\000\000`{o\177\305\177\000\000\240zo\177\305\177", '\000' <repeats 18 times>"\200, \002p\177\305\177\000\000\003\000\000\000\000\000\000\000\200\177o\177\305\177\000\000\000\000\000\000\000\000\000\000"...
        msg_cfg = 0x7fc4700396b0
        zero_gain = 0 '\000'
        vm_fmts = 0x7fc585e7f300 "wav49|gsm|wav"
        backup = "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX/msg0000-bak", '\000' <repeats 4016 times>
        config_flags = {flags = 4}
        duration_str = <value optimized out>
        already_recorded = 1
...
{noformat}

>From app_voicemail.c
{noformat}
   6881 static int vm_forwardoptions(struct ast_channel *chan, struct ast_vm_user *vmu, char *curdir, int curmsg, char *vm_fmts,
   6882                         char *context, signed char record_gain, long *duration, struct vm_state *vms, char *flag)
   6883 {
...
   6973                         if (prepend_duration) {
   6974                                 struct ast_category *msg_cat;
   6975                                 /* need enough space for a maximum-length message duration */
   6976                                 char duration_buf[12];
   6977
   6978                                 *duration += prepend_duration;
   6979                                 msg_cat = ast_category_get(msg_cfg, "message");
   6980                                 snprintf(duration_buf, 11, "%ld", *duration);
   6981                                 if (!ast_variable_update(msg_cat, "duration", duration_buf, NULL, 0)) {
   6982                                         ast_config_text_file_save(textfile, msg_cfg, "app_voicemail");
   6983                                 }
   6984                         }
{noformat}

>From config.c
{noformat}
    906 int ast_variable_update(struct ast_category *category, const char *variable,
    907                                                 const char *value, const char *match, unsigned int object)
    908 {
    909         struct ast_variable *cur, *prev=NULL, *newer=NULL;
    910
    911         for (cur = category->root; cur; prev = cur, cur = cur->next) {
{noformat}




--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list