[asterisk-bugs] [JIRA] (ASTERISK-25489) Crash while calling function iax2_frame_free

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu Oct 22 16:56:33 CDT 2015


    [ https://issues.asterisk.org/jira/browse/ASTERISK-25489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=227994#comment-227994 ] 

Asterisk Team commented on ASTERISK-25489:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

> Crash while calling function iax2_frame_free
> --------------------------------------------
>
>                 Key: ASTERISK-25489
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25489
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>    Affects Versions: 13.4.0
>         Environment: Ubuntu 14.4, x86 machine built from source.
>            Reporter: Y Ateya
>
> Periodically (every 1-3 days) I have the same crash on my asterisk. 
> {noformat}
> #0  0x00002b8899790cc9 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1  0x00002b88997940d8 in __GI_abort () at abort.c:89
> #2  0x00002b88997cd394 in __libc_message (do_abort=do_abort at entry=1, fmt=fmt at entry=0x2b88998dbb28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
> #3  0x00002b88997d966e in malloc_printerr (ptr=<optimised out>, str=0x2b88998dbc58 "double free or corruption (out)", action=1) at malloc.c:4996
> #4  _int_free (av=<optimised out>, p=<optimised out>, have_lock=0) at malloc.c:3840
> #5  0x00002b8910a21ad9 in iax2_frame_free (fr=0x2b89b084d0e0) at chan_iax2.c:2149
> #6  __attempt_transmit (data=0x2b89b084d0e0) at chan_iax2.c:3647
> #7  0x00002b8910a3fadd in iax2_process_thread (data=data at entry=0x1a06d10) at chan_iax2.c:12534
> #8  0x00000000005db08a in dummy_start (data=<optimised out>) at utils.c:1237
> #9  0x00002b8898df3182 in start_thread (arg=0x2b8918a11700) at pthread_create.c:312
> #10 0x00002b889985447d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
> {noformat}
> Just before this crash, the messages log shows this error couple of times:
> {noformat}
> [2015-10-20 08:05:13.292] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:13.340] WARNING[24401][C-000b5c9c] res_rtp_asterisk.c: RTP Read too short (32, expecting 48
> [2015-10-20 08:05:13.410] WARNING[24401][C-000b5c9c] res_rtp_asterisk.c: RTP Read too short (32, expecting 48
> [2015-10-20 08:05:13.484] WARNING[24401][C-000b5c9c] res_rtp_asterisk.c: RTP Read too short (42, expecting 48
> [2015-10-20 08:05:13.568] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:13.650] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:13.652] ERROR[24410][C-000b5ca4] chan_iax2.c: Unable to schedule iax2 callno 23820 destruction?!!  Destroying immediately.
> [2015-10-20 08:05:13.722] WARNING[24401][C-000b5c9c] res_rtp_asterisk.c: RTP Read too short (42, expecting 48
> [2015-10-20 08:05:13.804] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:13.894] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:13.954] ERROR[24359][C-000b5c75] chan_iax2.c: Unable to schedule iax2 callno 20795 destruction?!!  Destroying immediately.
> [2015-10-20 08:05:13.980] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:14.057] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:14.536] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:14.548] ERROR[24502][C-000b5cde] chan_iax2.c: Unable to schedule iax2 callno 20140 destruction?!!  Destroying immediately.
> [2015-10-20 08:05:14.608] NOTICE[24401][C-000b5c9c] res_rtp_asterisk.c: Unknown RTP codec 48 received from '12.22.16.91:22822'
> [2015-10-20 08:05:14.919] ERROR[24372][C-000b5c82] chan_iax2.c: Unable to schedule iax2 callno 29778 destruction?!!  Destroying immediately.
> [2015-10-20 08:05:14.922] ERROR[22813][C-000b57dd] chan_iax2.c: Unable to schedule iax2 callno 28017 destruction?!!  Destroying immediately.
> [2015-10-20 08:05:15.293] ERROR[24351][C-000b5c70] chan_iax2.c: Unable to schedule iax2 callno 25656 destruction?!!  Destroying immediately.
> [2015-10-20 08:05:15.319] ERROR[24266][C-000b5c14] chan_iax2.c: Unable to schedule iax2 callno 30734 destruction?!!  Destroying immediately.
> {noformat}
> Probably it is caused by this code segment in `channels/iax2/parser.c`
> {code}
> 	if (!fr->cacheable || !(iax_frames = ast_threadstorage_get(&frame_cache, sizeof(*iax_frames)))) {
> 		ast_free(fr);
> 		return;
> 	}
> {code}
> At the time of crash the system has a lot of memory (not out of memory), cpu usage was normal. I tried to re-produce the bug on test server but I failed. It only happens on production servers.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list