[asterisk-bugs] [JIRA] (ASTERISK-24258) Segmentation fault in ast_variable_update when using app_voicemail.
Steven T. Wheeler (JIRA)
noreply at issues.asterisk.org
Thu Aug 21 16:13:29 CDT 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-24258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steven T. Wheeler updated ASTERISK-24258:
-----------------------------------------
Description:
One of our 1.8.21 servers experienced a segmentation fault while a user was checking their voicemail using app_voicemail. I believe that the segfault happened in {{ast_variable_update}} because the {{category}} variable was null.
In the GDB output you can see that the {{msg_cat}} variable is null. Which is then passed into {{ast_variable_update}}. I don't know enough about the Asterisk source to know if that is a valid value, perhaps a call to {{ast_category_exist}} should happen first? Or maybe we should check for a null value?
GDB Output:
{noformat}
(gdb) bt full
#0 ast_variable_update (category=0x0, variable=0x7fc585c74fce "duration", value=0x7fc57f700980 "19", match=0x0, object=0) at config.c:911
cur = <value optimized out>
prev = 0x0
newer = 0x0
#1 0x00007fc585c6ef4d in vm_forwardoptions (chan=0x7fc574d66788, context=0x7fc57f700c50 "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX", vms=0x7fc57f700b60, sender=0x7fc57f707c80,
is_new_message=2138020224, record_gain=0 '\000', urgent=0, fmt=0x7fc585e7f300 "wav49|gsm|wav") at app_voicemail.c:6981
msg_cat = 0x0
duration_buf = "19\000\177\305\177\000\000\215\307q", <incomplete sequence \315>
msgfile = "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX/msg0000", '\000' <repeats 3013 times>"\220, \274o\177\305\177\000\000\200\274o\177\305\177\000\000\000\000\000\000\000\000\000\000@\276o\177\305\177\000\000\000OY\000\000\000\000\000'\244o\315\305\177\000\000\000OY", '\000' <repeats 13 times>"\205, [\005p\304\177", '\000' <repeats 42 times>, "p\273o\177\305\177\000\000\000\000\000\000\000\000\000\000\376NY", '\000' <repeats 29 times>, "ܻo\177\305\177\000\000\370\273o\177\305\177\000\000\000\000\000\000\000\000\000\000\030\274o\177\305\177", '\000' <repeats 58 times>...
cmd = 116
retries = 0
prepend_duration = 19
backup_textfile = "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX/msg0000-bak.txt", '\000' <repeats 4012 times>
textfile = "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX/msg0000.txt\000 at zo\177\305\177\000\000\000\000\000\000\000\000\000\000 \001\000\000\000\000\000\000 \001\000\000\000\000\000\000P}o\177\305\177", '\000' <repeats 18 times>"\224, \002Y\000\000\000\000\000\030\000\000\000\060\000\000\000 ~o\177\305\177\000\000`}o\177\305\177\000\000`{o\177\305\177\000\000\240zo\177\305\177", '\000' <repeats 18 times>"\200, \002p\177\305\177\000\000\003\000\000\000\000\000\000\000\200\177o\177\305\177\000\000\000\000\000\000\000\000\000\000"...
msg_cfg = 0x7fc4700396b0
zero_gain = 0 '\000'
vm_fmts = 0x7fc585e7f300 "wav49|gsm|wav"
backup = "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX/msg0000-bak", '\000' <repeats 4016 times>
config_flags = {flags = 4}
duration_str = <value optimized out>
already_recorded = 1
...
{noformat}
>From app_voicemail.c
{noformat}
6881 static int vm_forwardoptions(struct ast_channel *chan, struct ast_vm_user *vmu, char *curdir, int curmsg, char *vm_fmts,
6882 char *context, signed char record_gain, long *duration, struct vm_state *vms, char *flag)
6883 {
...
6973 if (prepend_duration) {
6974 struct ast_category *msg_cat;
6975 /* need enough space for a maximum-length message duration */
6976 char duration_buf[12];
6977
6978 *duration += prepend_duration;
6979 msg_cat = ast_category_get(msg_cfg, "message");
6980 snprintf(duration_buf, 11, "%ld", *duration);
6981 if (!ast_variable_update(msg_cat, "duration", duration_buf, NULL, 0)) {
6982 ast_config_text_file_save(textfile, msg_cfg, "app_voicemail");
6983 }
6984 }
{noformat}
>From config.c
{noformat}
906 int ast_variable_update(struct ast_category *category, const char *variable,
907 const char *value, const char *match, unsigned int object)
908 {
909 struct ast_variable *cur, *prev=NULL, *newer=NULL;
910
911 for (cur = category->root; cur; prev = cur, cur = cur->next) {
{noformat}
was:
One of our 1.8.21 servers experienced a segmentation fault while a user was checking their voicemail using app_voicemail. I believe that the segfault happened in {{ast_variable_update}} because the {{category}} variable was null.
In the GDB output you can see that the {{msg_cat}} variable is null. Which is then passed into {{ast_variable_update}}. I don't know enough about the Asterisk source to know if that is a valid value, perhaps a call to {{ast_category_exist}} should happen first? Or maybe we should check for a null value?
GDB Output:
{noformat}
(gdb) bt full
#0 ast_variable_update (category=0x0, variable=0x7fc585c74fce "duration", value=0x7fc57f700980 "19", match=0x0, object=0) at config.c:911
cur = <value optimized out>
prev = 0x0
newer = 0x0
#1 0x00007fc585c6ef4d in vm_forwardoptions (chan=0x7fc574d66788, context=0x7fc57f700c50 "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX", vms=0x7fc57f700b60, sender=0x7fc57f707c80,
is_new_message=2138020224, record_gain=0 '\000', urgent=0, fmt=0x7fc585e7f300 "wav49|gsm|wav") at app_voicemail.c:6981
msg_cat = 0x0
duration_buf = "19\000\177\305\177\000\000\215\307q", <incomplete sequence \315>
msgfile = "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX/msg0000", '\000' <repeats 3013 times>"\220, \274o\177\305\177\000\000\200\274o\177\305\177\000\000\000\000\000\000\000\000\000\000@\276o\177\305\177\000\000\000OY\000\000\000\000\000'\244o\315\305\177\000\000\000OY", '\000' <repeats 13 times>"\205, [\005p\304\177", '\000' <repeats 42 times>, "p\273o\177\305\177\000\000\000\000\000\000\000\000\000\000\376NY", '\000' <repeats 29 times>, "ܻo\177\305\177\000\000\370\273o\177\305\177\000\000\000\000\000\000\000\000\000\000\030\274o\177\305\177", '\000' <repeats 58 times>...
cmd = 116
retries = 0
prepend_duration = 19
backup_textfile = "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX/msg0000-bak.txt", '\000' <repeats 4012 times>
textfile = "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX/msg0000.txt\000 at zo\177\305\177\000\000\000\000\000\000\000\000\000\000 \001\000\000\000\000\000\000 \001\000\000\000\000\000\000P}o\177\305\177", '\000' <repeats 18 times>"\224, \002Y\000\000\000\000\000\030\000\000\000\060\000\000\000 ~o\177\305\177\000\000`}o\177\305\177\000\000`{o\177\305\177\000\000\240zo\177\305\177", '\000' <repeats 18 times>"\200, \002p\177\305\177\000\000\003\000\000\000\000\000\000\000\200\177o\177\305\177\000\000\000\000\000\000\000\000\000\000"...
msg_cfg = 0x7fc4700396b0
zero_gain = 0 '\000'
vm_fmts = 0x7fc585e7f300 "wav49|gsm|wav"
backup = "/var/spool/asterisk/voicemail/midwestDisability-VOICEMAIL/101/INBOX/msg0000-bak", '\000' <repeats 4016 times>
config_flags = {flags = 4}
duration_str = <value optimized out>
already_recorded = 1
...
{noformat}
>From app_voicemail.c
{noformat}
6881 static int vm_forwardoptions(struct ast_channel *chan, struct ast_vm_user *vmu, char *curdir, int curmsg, char *vm_fmts,
6882 char *context, signed char record_gain, long *duration, struct vm_state *vms, char *flag)
6883 {
...
6973 if (prepend_duration) {
6974 struct ast_category *msg_cat;
6975 /* need enough space for a maximum-length message duration */
6976 char duration_buf[12];
6977
6978 *duration += prepend_duration;
6979 msg_cat = ast_category_get(msg_cfg, "message");
6980 snprintf(duration_buf, 11, "%ld", *duration);
6981 if (!ast_variable_update(msg_cat, "duration", duration_buf, NULL, 0)) {
6982 ast_config_text_file_save(textfile, msg_cfg, "app_voicemail");
6983 }
6984 }
{noformat}
>From config.c
{noformat}
906 int ast_variable_update(struct ast_category *category, const char *variable,
907 const char *value, const char *match, unsigned int object)
908 {
909 struct ast_variable *cur, *prev=NULL, *newer=NULL;
910
911 for (cur = category->root; cur; prev = cur, cur = cur->next) {
{noformat}
> Segmentation fault in ast_variable_update when using app_voicemail.
> -------------------------------------------------------------------
>
> Key: ASTERISK-24258
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24258
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Applications/app_voicemail, Core/General
> Affects Versions: 1.8.21.0
> Environment: CentOS 6.4
> Reporter: Steven T. Wheeler
>
> One of our 1.8.21 servers experienced a segmentation fault while a user was checking their voicemail using app_voicemail. I believe that the segfault happened in {{ast_variable_update}} because the {{category}} variable was null.
> In the GDB output you can see that the {{msg_cat}} variable is null. Which is then passed into {{ast_variable_update}}. I don't know enough about the Asterisk source to know if that is a valid value, perhaps a call to {{ast_category_exist}} should happen first? Or maybe we should check for a null value?
> GDB Output:
> {noformat}
> (gdb) bt full
> #0 ast_variable_update (category=0x0, variable=0x7fc585c74fce "duration", value=0x7fc57f700980 "19", match=0x0, object=0) at config.c:911
> cur = <value optimized out>
> prev = 0x0
> newer = 0x0
> #1 0x00007fc585c6ef4d in vm_forwardoptions (chan=0x7fc574d66788, context=0x7fc57f700c50 "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX", vms=0x7fc57f700b60, sender=0x7fc57f707c80,
> is_new_message=2138020224, record_gain=0 '\000', urgent=0, fmt=0x7fc585e7f300 "wav49|gsm|wav") at app_voicemail.c:6981
> msg_cat = 0x0
> duration_buf = "19\000\177\305\177\000\000\215\307q", <incomplete sequence \315>
> msgfile = "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX/msg0000", '\000' <repeats 3013 times>"\220, \274o\177\305\177\000\000\200\274o\177\305\177\000\000\000\000\000\000\000\000\000\000@\276o\177\305\177\000\000\000OY\000\000\000\000\000'\244o\315\305\177\000\000\000OY", '\000' <repeats 13 times>"\205, [\005p\304\177", '\000' <repeats 42 times>, "p\273o\177\305\177\000\000\000\000\000\000\000\000\000\000\376NY", '\000' <repeats 29 times>, "ܻo\177\305\177\000\000\370\273o\177\305\177\000\000\000\000\000\000\000\000\000\000\030\274o\177\305\177", '\000' <repeats 58 times>...
> cmd = 116
> retries = 0
> prepend_duration = 19
> backup_textfile = "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX/msg0000-bak.txt", '\000' <repeats 4012 times>
> textfile = "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX/msg0000.txt\000 at zo\177\305\177\000\000\000\000\000\000\000\000\000\000 \001\000\000\000\000\000\000 \001\000\000\000\000\000\000P}o\177\305\177", '\000' <repeats 18 times>"\224, \002Y\000\000\000\000\000\030\000\000\000\060\000\000\000 ~o\177\305\177\000\000`}o\177\305\177\000\000`{o\177\305\177\000\000\240zo\177\305\177", '\000' <repeats 18 times>"\200, \002p\177\305\177\000\000\003\000\000\000\000\000\000\000\200\177o\177\305\177\000\000\000\000\000\000\000\000\000\000"...
> msg_cfg = 0x7fc4700396b0
> zero_gain = 0 '\000'
> vm_fmts = 0x7fc585e7f300 "wav49|gsm|wav"
> backup = "/var/spool/asterisk/voicemail/company-VOICEMAIL/101/INBOX/msg0000-bak", '\000' <repeats 4016 times>
> config_flags = {flags = 4}
> duration_str = <value optimized out>
> already_recorded = 1
> ...
> {noformat}
> From app_voicemail.c
> {noformat}
> 6881 static int vm_forwardoptions(struct ast_channel *chan, struct ast_vm_user *vmu, char *curdir, int curmsg, char *vm_fmts,
> 6882 char *context, signed char record_gain, long *duration, struct vm_state *vms, char *flag)
> 6883 {
> ...
> 6973 if (prepend_duration) {
> 6974 struct ast_category *msg_cat;
> 6975 /* need enough space for a maximum-length message duration */
> 6976 char duration_buf[12];
> 6977
> 6978 *duration += prepend_duration;
> 6979 msg_cat = ast_category_get(msg_cfg, "message");
> 6980 snprintf(duration_buf, 11, "%ld", *duration);
> 6981 if (!ast_variable_update(msg_cat, "duration", duration_buf, NULL, 0)) {
> 6982 ast_config_text_file_save(textfile, msg_cfg, "app_voicemail");
> 6983 }
> 6984 }
> {noformat}
> From config.c
> {noformat}
> 906 int ast_variable_update(struct ast_category *category, const char *variable,
> 907 const char *value, const char *match, unsigned int object)
> 908 {
> 909 struct ast_variable *cur, *prev=NULL, *newer=NULL;
> 910
> 911 for (cur = category->root; cur; prev = cur, cur = cur->next) {
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list