[asterisk-bugs] [JIRA] (ASTERISK-27170) memory corruption probably related to operations involved into PickupChan

nappsoft (JIRA) noreply at issues.asterisk.org
Thu Aug 24 06:48:08 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-27170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=238208#comment-238208 ] 

nappsoft commented on ASTERISK-27170:
-------------------------------------

One question as I did not yet manage to let the testsystem crash after making sure that hostnames in FROM headers can be resolved locally (about 500 times reproduced the test scenario): Is it possible that two threads can use the message_ip_updater code at the same time? On line 283 we have the following:

if (pj_strcmp2(&uri->host, "localhost") && pj_sockaddr_parse(pj_AF_UNSPEC(), 0, &uri->host, &ip) == PJ_SUCCESS) {

pj_sockaddr_parse seems to be using pj_sockaddr_in_set_str_addr which is using pj_gethostbyname which in our case is using gethostbyname which is not reentrant what means that it might not be threadsafe... However: musl internally is using gethostbyname2 which is using gethostbyname2_r internally for each call to gethostbyname, so this should not be an issue if it is working as expected.

However I might have found a possible reason for memory corruption there. The first free(h) doesn't look safe... does it?: 

struct hostent *gethostbyname2(const char *name, int af)
{
        static struct hostent *h;
        size_t size = 63;
        struct hostent *res;
        int err;
        do {
                free(h);
                h = malloc(size+=size+1);


> memory corruption probably related to operations involved into PickupChan
> -------------------------------------------------------------------------
>
>                 Key: ASTERISK-27170
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27170
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: PBX/General
>    Affects Versions: 13.16.0, 13.17.0
>         Environment: 64bit linux musl 1.1.16-git
>            Reporter: nappsoft
>            Assignee: Unassigned
>         Attachments: backtrace4.txt, crashlog.txt, trace_cel_crash.txt, trace.txt, valgrind2.txt, valgrind4.txt, vgcore.24994-brief.txt, vgcore.24994-full.txt, vgcore.24994-locks.txt, vgcore.24994-thread1.txt
>
>
> From time to time asterisk crashes when a component is trying to allocate memory. According to the sip traces this seem to happen mainly soon (sometimes some milliseconds, sometimes a few seconds) after a call in which a PickupChan operation was involved has been finished.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list