[asterisk-bugs] [JIRA] (ASTERISK-22805) res_rtp_asterisk: Crash when calling BIO_ctrl_pending in dtls_srtp_check_pending when dialed by JSSIP

Fidel Gonzalez (JIRA) noreply at issues.asterisk.org
Thu Feb 5 10:37:35 CST 2015


    [ https://issues.asterisk.org/jira/browse/ASTERISK-22805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=224769#comment-224769 ] 

Fidel Gonzalez commented on ASTERISK-22805:
-------------------------------------------

Hi 

I have the same crash;

Dial from  Chrome <Version 40.0.2214.94 m>  using SIPML5 demo  <Local installation >


======Asterisk 11.0.1 + patch============  

(gdb) bt
#0  0x00007f86c8000138 in ?? ()
#1  0x00007f86d4d54399 in BIO_read () from /usr/lib64/libcrypto.so.10
#2  0x00007f8693c845af in dtls_srtp_check_pending (instance=0x7f86c80508b8, rtp=0x7f86c8054e00) at res_rtp_asterisk.c:1231
#3  0x00007f8693c84df4 in __rtp_recvfrom (instance=0x7f86c80508b8, buf=0x7f86c8054fb8, size=8192, flags=0, sa=0x7f8689cc6c60, rtcp=0) at res_rtp_asterisk.c:1389
#4  0x00007f8693c851f8 in rtp_recvfrom (instance=0x7f86c80508b8, buf=0x7f86c8054fb8, size=8192, flags=0, sa=0x7f8689cc6c60) at res_rtp_asterisk.c:1475

.......................................................................................
(gdb) f 2
#2  0x00007f8693c845af in dtls_srtp_check_pending (instance=0x7f86c80508b8, rtp=0x7f86c8054e00) at res_rtp_asterisk.c:1231
1231                    out = BIO_read(rtp->write_bio, outgoing, sizeof(outgoing));
(gdb) p * rtp->write_bio
$1 = {method = 0x7f86c8010190, callback = 0, cb_arg = 0x0, init = 1, shutdown = 1, flags = 0, retry_reason = 0, num = -1, ptr = 0x0, next_bio = 0x0, prev_bio = 0x0, references = 0, num_read = 0, num_write = 0, ex_data = {sk = 0x0,
    dummy = 0}}


(gdb) bt full

#2  0x00007f8693c845af in dtls_srtp_check_pending (instance=0x7f86c80508b8, rtp=0x7f86c8054e00) at res_rtp_asterisk.c:1231
        outgoing = warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
0x7f8689cc6450 "port"
        out = 140727337391
        remote_address = {ss = {ss_family = 2, __ss_align = 0, __ss_padding = '\000' <repeats 111 times>}, len = 16}
        ice = 32646
        pending = 18446744073709551614
#3  0x00007f8693c84df4 in __rtp_recvfrom (instance=0x7f86c80508b8, buf=0x7f86c8054fb8, size=8192, flags=0, sa=0x7f8689cc6c60, rtcp=0) at res_rtp_asterisk.c:1389
        in = 0x7f86c8054fb8 ""
        len = 132
        rtp = 0x7f86c8054e00
        srtp = 0x7f86c8042c10
        __PRETTY_FUNCTION__ = "__rtp_recvfrom"


=========== Asterisk 11.5.0 =================

(gdb) bt
#0  0x00007f972401f8a0 in ?? ()
#1  0x00007f974567d37f in BIO_read () from /usr/lib64/libcrypto.so.10
#2  0x00007f970561e638 in dtls_srtp_check_pending (instance=0x7f97240454b8, rtp=0x7f972404a6c0) at res_rtp_asterisk.c:1254
#3  0x00007f970561ee7d in __rtp_recvfrom (instance=0x7f97240454b8, buf=0x7f972404a878, size=8192, flags=0, sa=0x7f96fb760c70, rtcp=0) at res_rtp_asterisk.c:1411
#4  0x00007f970561f297 in rtp_recvfrom (instance=0x7f97240454b8, buf=0x7f972404a878, size=8192, flags=0, sa=0x7f96fb760c70) at res_rtp_asterisk.c:1497

(gdb) f 2
#2  0x00007f970561e638 in dtls_srtp_check_pending (instance=0x7f97240454b8, rtp=0x7f972404a6c0) at res_rtp_asterisk.c:1254
1254                    out = BIO_read(rtp->write_bio, outgoing, sizeof(outgoing));
(gdb) p * rtp->write_bio
$1 = {method = 0x7f9724035bd0, callback = 0x7f972401f8a0, cb_arg = 0x0, init = 1, shutdown = 1, flags = 0, retry_reason = 0, num = -1, ptr = 0x0, next_bio = 0x0, prev_bio = 0x0, references = 0, num_read = 0, num_write = 0, ex_data = {
    sk = 0x0, dummy = 1423153344}}
(gdb)


(gdb) bt full
#0  0x00007f972401f8a0 in ?? ()
No symbol table info available.
#1  0x00007f974567d37f in BIO_read () from /usr/lib64/libcrypto.so.10
No symbol table info available.
#2  0x00007f970561e638 in dtls_srtp_check_pending (instance=0x7f97240454b8, rtp=0x7f972404a6c0) at res_rtp_asterisk.c:1254
        outgoing = warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
warning: Range for type (null) has invalid bounds 0..-3
0x7f96fb760470 "\363%,\020\227\177"
        out = 138623816768
        remote_address = {ss = {ss_family = 2, __ss_align = 0, __ss_padding = '\000' <repeats 111 times>}, len = 16}
        ice = 32662
        pending = 18446744073709551614


> res_rtp_asterisk: Crash when calling BIO_ctrl_pending in dtls_srtp_check_pending when dialed by JSSIP 
> ------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-22805
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22805
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General, Resources/res_rtp_asterisk
>    Affects Versions: 11.5.1, 11.6.0, 11.7.0
>         Environment: Linux 2.6.32-358.18.1.el6.x86_64, OpenSSL 1.0.1e-fips 11 Feb 2013, srtp 1.4.4
>            Reporter: Dmitry Burilov
>            Severity: Critical
>         Attachments: backtrace2.txt, backtrace.txt, bt_udptl.txt, coredump.tar.bz2, sip.conf
>
>
> Dial from Chrome 30.0.1599.101m via jssip application crash asterisk11.
> -----------gdb output ----------------
> Core was generated by `/usr/sbin/asterisk -f -vvvg -c'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x00007f1353750875 in BIO_ctrl (b=0x7f132403bd80, cmd=10, larg=0, parg=0x0) at bio_lib.c:367
> 367			((ret=cb(b,BIO_CB_CTRL,parg,cmd,larg,1L)) <= 0))
> ----------------------------
> ----------- and ------------
> #0  BIO_ctrl (b=0x7f824404ec30, cmd=10, larg=0, parg=0x0) at bio_lib.c:370
> 370		ret=b->method->ctrl(b,cmd,larg,parg);
> [?1034h(gdb) frame 1
> #1  0x00007f82d3ac3702 in dtls_srtp_check_pending (instance=0x7f824403e158, rtp=0x7f8244043360) at res_rtp_asterisk.c:1258
> 1258		size_t pending = BIO_ctrl_pending(rtp->write_bio);
> (gdb) info frame 1
> Stack frame at 0x7f82cc914dd0:
>  rip = 0x7f82d3ac3702 in dtls_srtp_check_pending (res_rtp_asterisk.c:1258); saved rip 0x7f82d3ac40e6
>  called by frame at 0x7f82cc914f20, caller of frame at 0x7f82cc914cd0
>  source language c.
>  Arglist at 0x7f82cc914dc0, args: instance=0x7f824403e158, rtp=0x7f8244043360
>  Locals at 0x7f82cc914dc0, Previous frame's sp is 0x7f82cc914dd0
>  Saved registers:
>   rbx at 0x7f82cc914db0, rbp at 0x7f82cc914dc0, r12 at 0x7f82cc914db8, rip at 0x7f82cc914dc8
> ----------------------------



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list