[asterisk-bugs] [JIRA] (ASTERISK-19143) Core dump when adding dialplan extension

cloos (JIRA) noreply at issues.asterisk.org
Sat Jul 26 23:51:57 CDT 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-19143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=220960#comment-220960 ] 

cloos commented on ASTERISK-19143:
----------------------------------

The segv only occurs when there is a space in the extension string.

It looks like at some point a struct ast_exten.exten string gets stored w/o a trailing NULL.

When __ast_str_helper() tries to determine how long the resulting string will be, it calls vnsprintf which follows the unterminated "string" data past the end of allocation, causing a SEGV. 

(At least a missing NULL is the most likely reason; changing the %s to %p, to see the address of the char*s, showed reasonable values. So it isn’t that the va itself is outside of allocated memory.)

pbx.c has this warning in pbx_builtin_setvar():

“Please avoid unnecessary spaces on variables as it may lead to unexpected results”

Since the segv only occurred when a new exten with a space duplicated an existing, one of the functions which skips spaces must fail to include a proper termination, a race allows the terminator to get overwritten or something should be setting the deleted flag, but fails to do so.

(I hope I edited that correctly; this *tiny* text box is most painful.)

> Core dump when adding dialplan extension
> ----------------------------------------
>
>                 Key: ASTERISK-19143
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-19143
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/Configuration
>    Affects Versions: 1.8.7.2, 1.8.8.0
>         Environment: CentOS 5.5
>            Reporter: Steven T. Wheeler
>         Attachments: backtrace-20120305-1136.txt, backtrace-20120305-1138.txt, backtrace.txt, full_debug.log, full.log
>
>
> asterisk -rx "dialplan add extension steventest2-swheeler,hint,SIP/steventest2-swheeler_softphone&Custom:unavailable into blf replace
> Executing this command will occasionally cause asterisk to segfault.  From what I can tell in the back trace the issue seems to be related to logging the message "Found duplicate exten. Had %s found %s".  Please see the attached back trace and debug logs for more information.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list