[asterisk-bugs] [JIRA] (ASTERISK-26679) Crash on invalid contact domain (pjsip aor)

Jacek Konieczny (JIRA) noreply at issues.asterisk.org
Tue Jan 10 02:48:10 CST 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-26679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=234548#comment-234548 ] 

Jacek Konieczny commented on ASTERISK-26679:
--------------------------------------------

I have experienced similar crashes due to a misconfigured contact hostname or broken nameservers. The last one:

{noformat}
# coredumpctl  gdb -1                                                                                                                                         
           PID: 8722 (asterisk)
           UID: 188 (asterisk)
           GID: 188 (asterisk)
        Signal: 11 (SEGV)
     Timestamp: Tue 2017-01-10 01:29:19 CET (8h ago)
  Command Line: /usr/sbin/asterisk -U asterisk -G asterisk -g -f
    Executable: /usr/sbin/asterisk
 Control Group: /
         Slice: -.slice
       Boot ID: ec363aa2f81a46d998f3dec80b9b10f3
    Machine ID: 1b7ba458f42347e897c9190248b35978
      Hostname: x12c-4puntnuldemo
      Coredump: /var/lib/systemd/coredump/core.asterisk.188.ec363aa2f81a46d998f3dec80b9b10f3.8722.1484008159000000.lz4
       Message: Process 8722 (asterisk) of user 188 dumped core.
                
                Stack trace of thread 8754:
                #0  0x00000000f63b06e1 cancel (libpj.so.2)
                #1  0x00000000f63b0d2b cancel_timer (libpj.so.2)
                #2  0x00000000f635db90 endpt_send_request (res_pjsip.so)
                #3  0x00000000f6360a43 ast_sip_send_out_of_dialog_request (res_pjsip.so)
                #4  0x00000000f636460c qualify_contact (res_pjsip.so)
                #5  0x00000000f63648eb qualify_contact_task (res_pjsip.so)
                #6  0x00000000081d741c ast_taskprocessor_execute (asterisk)
                #7  0x00000000081de52f execute_tasks (asterisk)
                #8  0x00000000081d741c ast_taskprocessor_execute (asterisk)
                #9  0x00000000081dde9f threadpool_execute (asterisk)
                #10 0x00000000081e6910 dummy_start (asterisk)
                #11 0x00000000f70e5220 start_thread (libpthread.so.0)
                #12 0x00000000f6f885ee __clone (libc.so.6)
                
[...]
Program terminated with signal SIGSEGV, Segmentation fault.
#0  cancel (ht=ht at entry=0x866280c, entry=entry at entry=0x6478302b, flags=flags at entry=7) at ../src/pj/timer.c:331
331	  if (entry->_timer_id < 0 || (pj_size_t)entry->_timer_id > ht->max_size) {
$1 = (pj_timer_entry *) 0x6478302b
(gdb) print entry->_timer_id
Cannot access memory at address 0x64783037
(gdb) up
#1  0xf63b0d2b in cancel_timer (id_val=id_val at entry=0, flags=6, entry=0x6478302b, ht=0x866280c) at ../src/pj/timer.c:581
581	    count = cancel(ht, entry, flags | F_DONT_CALL);
(gdb) print *entry
Cannot access memory at address 0x6478302b
(gdb) up
#2  pj_timer_heap_cancel_if_active (ht=0x866280c, entry=entry at entry=0x6478302b, id_val=id_val at entry=0) at ../src/pj/timer.c:605
605	    return cancel_timer(ht, entry, F_SET_ID | F_DONT_ASSERT, id_val);
(gdb) up
#3  0xf635db90 in endpt_send_request (endpoint=endpoint at entry=0x89bc080, tdata=tdata at entry=0xf3b3e91c, timeout=timeout at entry=3000, token=token at entry=0x8979600, 
    cb=0xf635dc09 <send_request_cb>) at res_pjsip.c:3600
3600				timers_cancelled = pj_timer_heap_cancel_if_active(
(gdb) print req_wrapper
$2 = (struct send_request_wrapper *) 0x89a64f0
(gdb) print *req_wrapper
$3 = {
  token = 0x726f7373, 
  callback = 0x6578655f, 
  cb_called = 1702131043, 
  timeout_timer = 0x6478302b, 
  timeout = 1528834402, 
  tdata = 0x31387830
}
(gdb) print *req_wrapper->timeout_timer
Cannot access memory at address 0x6478302b
{noformat}

And the log fragment:
{noformat}
Jan 10 01:29:19 x12c-4puntnuldemo asterisk[8722]: ERROR[8754]: res_pjsip.c:3591 in endpt_send_request: Error 320053 'DNS "Name Error" (PJLIB_UTIL_EDNS_NXDOMAIN)' sending OPTIONS request
 to endpoint GSMINBOUND
Jan 10 01:29:19 x12c-4puntnuldemo asterisk[8722]: [Jan 10 01:29:19] ERROR[8754]: res_pjsip.c:3591 endpt_send_request: Error 320053 'DNS "Name Error" (PJLIB_UTIL_EDNS_NXDOMAIN)' sending 
OPTIONS request to endpoint GSMINBOUND
Jan 10 01:29:19 x12c-4puntnuldemo asterisk[8722]: FRACK!, Failed assertion bad magic number 0x0 for object 0x89a64f0 (0) at line 131 in INTERNAL_OBJ of astobj2.c
Jan 10 01:29:19 x12c-4puntnuldemo asterisk[8722]: ERROR[8754]: astobj2.c:131 in INTERNAL_OBJ: FRACK!, Failed assertion bad magic number 0x0 for object 0x89a64f0 (0)
Jan 10 01:29:19 x12c-4puntnuldemo asterisk[8722]: [Jan 10 01:29:19] ERROR[8754]: astobj2.c:131 INTERNAL_OBJ: FRACK!, Failed assertion bad magic number 0x0 for object 0x89a64f0 (0)
{noformat}

There are more 'DNS "Name Error"' and 'FRACK!' in the logs, it does not end with an Asterisk crash every time.

> Crash on invalid contact domain (pjsip aor)
> -------------------------------------------
>
>                 Key: ASTERISK-26679
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26679
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: 13.13.1
>         Environment: debian 8.1
>            Reporter: Dmitriy
>         Attachments: backtrace.txt
>
>
> contact=sip:sipuser
> {quote}
> [Dec 27 21:38:38] WARNING[24817]: pjproject:0 <?>:      tsx0x7f5494015 Failed to send Request msg OPTIONS/cseq=20579 (tdta0x7f549401d650)! err=320053 (DNS "Name Error" (PJLIB_UTIL_EDNS_NXDOMAIN))
> [Dec 27 21:39:38] WARNING[24818]: pjproject:0 <?>:      tsx0x7f5494015 .Failed to send Request msg OPTIONS/cseq=59404 (tdta0x7f549401d650)! err=320053 (DNS "Name Error" (PJLIB_UTIL_EDNS_NXDOMAIN))
> [Dec 27 21:39:38] ERROR[24818]: res_pjsip.c:3591 endpt_send_request: Error 320053 'DNS "Name Error" (PJLIB_UTIL_EDNS_NXDOMAIN)' sending OPTIONS request to endpoint extline-42
> [Dec 27 21:39:38] ERROR[24818]: astobj2.c:131 INTERNAL_OBJ: FRACK!, Failed assertion bad magic number 0x0 for object 0x7f549401d5b0 (0)
> Got 19 backtrace records
> #0: [0x5f9365] main/utils.c:2459 __ast_assert_failed() (0x5f92d8+8D)
> #1: [0x45c06c] main/astobj2.c:132 INTERNAL_OBJ()
> #2: [0x45c0c7] main/astobj2.c:152 __ao2_lock() (0x45c09c+2B)
> #3: [0x7f547f66cb6a] res/res_pjsip.c:3600 endpt_send_request()
> #4: [0x7f547f66d022] res/res_pjsip.c:3720 ast_sip_send_out_of_dialog_request() (0x7f547f66ce71+1B1)
> #5: [0x7f547f670ffb] res_pjsip/pjsip_options.c:444 qualify_contact()
> #6: [0x7f547f671155] res_pjsip/pjsip_options.c:519 qualify_contact_task()
> #7: [0x5e0e83] main/taskprocessor.c:969 ast_taskprocessor_execute() (0x5e0d73+110)
> #8: [0x5e9942] main/threadpool.c:1322 execute_tasks()
> #9: [0x5e0e83] main/taskprocessor.c:969 ast_taskprocessor_execute() (0x5e0d73+110)
> #10: [0x5e7c6f] main/threadpool.c:351 threadpool_execute()
> #11: [0x5e92c6] main/threadpool.c:1105 worker_active()
> #12: [0x5e907f] main/threadpool.c:1025 worker_start()
> #13: [0x5f6477] main/utils.c:1235 dummy_start()
> Pbx*CLI> 
> Disconnected from Asterisk server
> Asterisk cleanly ending (0).
> Executing last minute cleanups
> root at Pbx:/tmp# 
> {quote}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list