[asterisk-bugs] [JIRA] (ASTERISK-25170) Segfault in call to vsnprintf from astman_append

xavier Collet (JIRA) noreply at issues.asterisk.org
Thu Jun 18 10:00:33 CDT 2015 

xavier Collet created ASTERISK-25170:
----------------------------------------

             Summary: Segfault in call to vsnprintf from astman_append
                 Key: ASTERISK-25170
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25170
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Applications/app_queue, Core/ManagerInterface
    Affects Versions: 11.17.0
         Environment: VM debian 
call-center 
            Reporter: xavier Collet


We had a segfault on an asterisk 11.17.0. Here's the backtrace of the thread which caused the segfault:

{code}
#0  0xb76b6da6 in _IO_default_xsputn () from /lib/i386-linux-gnu/libc.so.6
#1  0xb7689b63 in vfprintf () from /lib/i386-linux-gnu/libc.so.6
#2  0xb7731fc4 in __vsnprintf_chk () from /lib/i386-linux-gnu/libc.so.6
#3  0x081f1b26 in vsnprintf (__ap=0xb1832618 "rݖ\264$\016k\262\344\fk\262\324\rk\262\067y\341\265\001", __fmt=0xb5e18e50 "Event: QueueMember\r\nQueue: %s\r\nName: %s\r\nLocation: %s\r\nStateInterface: %s\r\nMembership: %s\r\nPenalty: %d\r\nCallsTaken: %d\r\nLastCall: %d\r\nStatus: %d\r\nPaused: %d\r\nSkills: %s\r\n%s\r\n", __n=<optimized out>, __s=<optimized out>) at /usr/include/i386-linux-gnu/bits/stdio2.h:78
#4  __ast_str_helper (buf=buf at entry=0xb18325ec, max_len=max_len at entry=0, append=append at entry=0, fmt=fmt at entry=0xb5e18e50 "Event: QueueMember\r\nQueue: %s\r\nName: %s\r\nLocation: %s\r\nStateInterface: %s\r\nMembership: %s\r\nPenalty: %d\r\nCallsTaken: %d\r\nLastCall: %d\r\nStatus: %d\r\nPaused: %d\r\nSkills: %s\r\n%s\r\n", ap=ap at entry=0xb1832618 "rݖ\264$\016k\262\344\fk\262\324\rk\262\067y\341\265\001") at strings.c:76
#5  0x08172729 in ast_str_set_va (ap=0xb1832618 "rݖ\264$\016k\262\344\fk\262\324\rk\262\067y\341\265\001", fmt=0xb5e18e50 "Event: QueueMember\r\nQueue: %s\r\nName: %s\r\nLocation: %s\r\nStateInterface: %s\r\nMembership: %s\r\nPenalty: %d\r\nCallsTaken: %d\r\nLastCall: %d\r\nStatus: %d\r\nPaused: %d\r\nSkills: %s\r\n%s\r\n", max_len=0, buf=0xb18325ec) at asterisk-11.17.0/include/asterisk/strings.h:803
#6  astman_append (s=s at entry=0xb1832cf8, fmt=fmt at entry=0xb5e18e50 "Event: QueueMember\r\nQueue: %s\r\nName: %s\r\nLocation: %s\r\nStateInterface: %s\r\nMembership: %s\r\nPenalty: %d\r\nCallsTaken: %d\r\nLastCall: %d\r\nStatus: %d\r\nPaused: %d\r\nSkills: %s\r\n%s\r\n") at manager.c:2268
#7  0xb5df3a69 in manager_queues_status (s=0xb1832cf8, m=0xb1832af4) at app_queue.c:10027
#8  0x0817b9d0 in process_message (s=s at entry=0xb1832cf8, m=m at entry=0xb1832af4) at manager.c:5284
#9  0x0817eec9 in do_message (s=0xb1832cf8) at manager.c:5497
#10 session_do (data=0xb4347a7c) at manager.c:5618
#11 0x081f68e3 in handle_tcptls_connection (data=data at entry=0xb4347a7c) at tcptls.c:684
#12 0x0820472f in dummy_start (data=0xb49fe0d0) at utils.c:1223
#13 0xb720d954 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#14 0xb771ec8e in clone () from /lib/i386-linux-gnu/libc.so.6
{code}

The app_queue on this asterisk is slightly modified to add a "skill" attribute in the struct member, the attribute is an array, similar to the "interface" attribute.

This is not a systematic problem, i.e. there's a lot of AMI "queue status" done on this asterisk and it segfaulted only one time. We don't know how to reproduce it.

I have not included the whole backtrace since this happened on a production server and there is quite a lot of private information in it.

Thank you 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list