[asterisk-bugs] [JIRA] (ASTERISK-26373) channel: Crash when appending cap during dialing to a channel, when built with debugging compiler options

Corey Farrell (JIRA) noreply at issues.asterisk.org
Tue Dec 19 19:59:07 CST 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-26373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=240892#comment-240892 ] 

Corey Farrell commented on ASTERISK-26373:
------------------------------------------

MALLOC_DEBUG causes memory to be overwritten during the call to ast_free.  It sounds like you may be using memory after it has been freed, MALLOC_DEBUG actually makes use after free much more likely to cause a crash.

A reference count debugging log might be helpful.  The objects you are dealing with are reference counted, I believe we're looking for something releasing a reference that it didn't have, so the object got freed while it was still in use.

https://wiki.asterisk.org/wiki/display/AST/Reference+Count+Debugging

> channel: Crash when appending cap during dialing to a channel, when built with debugging compiler options
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-26373
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26373
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/Channels
>    Affects Versions: 13.11.2
>         Environment: Virtual Machine on ESXi6 (VM Version 11, 4vCPU, 16Gb RAM), OS: CentOS release 6.8 (Final) x86_84
>            Reporter: Denis S.Davydov
>            Assignee: Unassigned
>         Attachments: 20160913_1457.log, bt_20160927.log, full_20160913_1457.txt, full_20160927.log, full_filtered_20160927.log, mmlog_20160913, queue_20160927.log
>
>
> Sep 13 14:57:23 pbx kernel: asterisk[18303] general protection ip:526f83 sp:7fa6e1854340 error:0 in asterisk[400000+370000]
> Segmentation fault in ast_format_cap_append_from_cap.
> {code}
> Program terminated with signal 11, Segmentation fault.
> #0  0x0000000000526f83 in ast_format_cap_append_from_cap (dst=0x7fa731384ab0, src=0x7fa6d5098350, type=AST_MEDIA_TYPE_UNKNOWN) at format_cap.c:308
> 308			struct format_cap_framed *framed = AST_VECTOR_GET(&src->preference_order, idx);
> #0  0x0000000000526f83 in ast_format_cap_append_from_cap (dst=0x7fa731384ab0, src=0x7fa6d5098350, type=AST_MEDIA_TYPE_UNKNOWN) at format_cap.c:308
>         __idx = 0
>         framed = 0x7fa6d512f190
>         idx = 0
>         res = 0
> #1  0x00000000004c2e53 in ast_request (type=0x7fa6e1854580 "SIP", request_cap=0x7fa6d5098350, assignedids=0x0, requestor=0x7fa6d54b3068, addr=0x7fa6e1854584 "3112", cause=0x7fa6e1854680) at channel.c:6068
>         tmp_cap = 0x7fa7313bf700
>         tmp_fmt = 0xbc67d0
>         best_audio_fmt = 0xbc67d0
>         joint_cap = 0x7fa731384ab0
>         chan = 0x17a62c0
>         c = 0x7fa6e1855fc0
>         res = 0
>         foo = 32679
>         __PRETTY_FUNCTION__ = "ast_request"
> {code}
> backtrace.txt and full.txt are in attachment.
> Compiled flags on my Asterisk-PBX is DONT_OPTIMIZE, COMPILE_DOUBLE, LOADABLE_MODULES, BETTER_BACKTRACES, MALLOC_DEBUG, BULD_NATIVE. Mmlog useless, there's nothing.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list