[asterisk-bugs] [JIRA] (ASTERISK-27952) Segfault after pjsip hdr linked list corruption
lvl (JIRA)
noreply at issues.asterisk.org
Tue Jul 3 09:01:54 CDT 2018
lvl created ASTERISK-27952:
------------------------------
Summary: Segfault after pjsip hdr linked list corruption
Key: ASTERISK-27952
URL: https://issues.asterisk.org/jira/browse/ASTERISK-27952
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: pjproject/pjsip
Affects Versions: 15.3.0
Reporter: lvl
Twice now, we've experienced an Asterisk segfault which was caused by a corrupted "hdr" linked list. This only happens once every thousands of calls so I'm not able to draw a connection yet, but as far as I can see there was nothing out of the ordinary for the affected calls.
Might be related to https://issues.asterisk.org/jira/browse/ASTERISK-27792 and https://issues.asterisk.org/jira/browse/ASTERISK-26832.
As you can see the first couple of header entries in the list are completely normal, but eventually hdr.next points to an invalid memory address.
Case 1:
{code}
#0 pj_stricmp (str1=str1 at entry=0x1e, str2=str2 at entry=0x7f17a4baead0) at ../include/pj/string_i.h:216
#1 0x00007f18d1d549a5 in pjsip_msg_find_hdr_by_name (msg=0x7f181c245180, name=name at entry=0x7f17a4baead0, start=start at entry=0x0) at ../src/pjsip/sip_msg.c:363
hdr = 0x6
end = 0x7f181c2451a8
{code}
{code}
(gdb) print *msg.hdr.next.next.next.next.next.next.next.next.next.next
$23 = {
prev = 0x7f187406d368,
next = 0x7f18741e3568,
type = PJSIP_H_OTHER,
name = {
ptr = 0x7f18d1ddfedd "Min-SE",
slen = 6
},
sname = {
ptr = 0x0,
slen = 0
},
vptr = 0x7f18d2022d00 <min_se_hdr_vptr>
}
(gdb) print *msg.hdr.next.next.next.next.next.next.next.next.next.next.next
$24 = {
prev = 0x7f1874041098,
next = 0x6,
type = 177,
name = {
ptr = 0x7f1874036040 "al-queuemember-0006aa1a;2\033[0m\", \"\033[1;35mARRAY(target_username xxxx \001",
slen = 139743010334336
},
sname = {
ptr = 0x0,
slen = 4294967295
},
vptr = 0x0
}
{code}
Case 2:
{code}
#0 pjsip_hdr_print_on (hdr_ptr=0x7f3133322e36, buf=0x7f0fbc1f3430 "Content-Type: application/sdprnContent-Length: 261rnrnv=0rno=- 572496747 572496749 xxxx"..., len=31096) at ../src/pjsip/sip_msg.c:584
hdr = 0x7f3133322e36
#1 0x00007f1034e4ac85 in pjsip_msg_print (msg=0x7f0f180bff30, buf=0x7f0fbc1f30a8 "SIP/2.0 183 Session ProgressrnVia: xxxx"..., size=<optimized out>) at ../src/pjsip/sip_msg.c:464
p = 0x7f0fbc1f3430 "Content-Type: application/sdprnContent-Length: 261rnrnv=0rno=- 572496747 572496749 xxxx"...
end = 0x7f0fbc1fada8 "250255037274017177"
len = <optimized out>
hdr = 0x7f3133322e36
clen_hdr = {ptr = 0x7f1034ed8eef "Content-Length: ", slen = 16}
{code}
{code}
(gdb) p *msg.hdr.next.next.next.next.next.next.next.next.next.next.next
$14 = {
prev = 0x7f0fbc34a730,
next = 0x7f0fbc1fb9e8,
type = PJSIP_H_ALLOW,
name = {
ptr = 0x7f1034ed9284 "Allow",
slen = 5
},
sname = {
ptr = 0x7f1034ed9284 "Allow",
slen = 5
},
vptr = 0x7f103511b3a0 <generic_array_hdr_vptr>
}
(gdb) p *msg.hdr.next.next.next.next.next.next.next.next.next.next.next.next
$15 = {
prev = 0x362e3333322e3738,
next = 0x7f3133322e36,
type = PJSIP_H_CONTACT,
name = {
ptr = 0x7f1034ed27eb "Contact",
slen = 7
},
sname = {
ptr = 0x7f1034eec21a "m",
slen = 1
},
vptr = 0x7f103511b340 <contact_hdr_vptr>
}
(gdb) p *msg.hdr.next.next.next.next.next.next.next.next.next.next.next.next.next
Cannot access memory at address 0x7f3133322e36
{code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list