[asterisk-bugs] Asterisk NULL pointer dereference of tsx->transport
Silvan Nagl
mail at 53c70r.de
Mon Nov 18 10:55:29 CST 2019
Hi,
i would like to request help to analyze a Backtrace which was caused by
SIGSEGV while dereferencing tsx->transport which was NULL.
../src/pjsip/sip_transaction.c:1884
tsx->is_reliable = PJSIP_TRANSPORT_IS_RELIABLE(tsx->transport);
The Asterisk version is 13.21.
Best Regards,
Silvan
_BT_
#0 0x00007ff1dfddd57c in send_msg_callback (send_state=0x7ff228011ca0,
sent=893, cont=0x7ff1d10c508c) at ../src/pjsip/sip_transaction.c:1884
tsx = 0x7ff20007aae8
tdata = <optimized out>
#1 0x00007ff1dfdcab2f in stateless_send_transport_cb
(token=token at entry=0x7ff228011ca0, tdata=tdata at entry=0x7ff228010d88,
sent=893) at ../src/pjsip/sip_util.c:1134
status = <optimized out>
cont = 0
cur_addr = <optimized out>
cur_addr_len = <optimized out>
via = <optimized out>
stateless_data = 0x7ff228011ca0
#2 0x00007ff1dfdcae99 in stateless_send_transport_cb
(token=token at entry=0x7ff228011ca0, tdata=tdata at entry=0x7ff228010d88,
sent=<optimized out>, sent at entry=-70002) at ../src/pjsip/sip_util.c:1266
status = <optimized out>
cont = 1
cur_addr = ...
cur_addr_len = 16
via = <optimized out>
stateless_data = 0x7ff228011ca0
#3 0x00007ff1dfdcaff2 in stateless_send_resolver_callback
(status=<optimized out>, token=0x7ff228011ca0, addr=<optimized out>) at
../src/pjsip/sip_util.c:1358
stateless_data = 0x7ff228011ca0
tdata = 0x7ff228010d88
#4 0x00007ff1dfdcdc17 in dns_a_callback (user_data=0x7ff1c06bbd88,
status=0, pkt=<optimized out>) at ../src/pjsip/sip_resolve.c:574
query = 0x7ff1c06bbd88
srv = 0x7ff1c06bbf70
#5 0x00007ff1df94754e in on_read_complete (key=0x5632f3553e70,
op_key=0x7ff1c00032d8, bytes_read=262) at ../src/pjlib-util/resolver.c:1754
resolver = ...
pool = 0x7ff1c0001f28
dns_pkt = 0x7ff1c0001fd0
q = 0x7ff1c00010a0
addr = "\017\000\000\000\000\000\000\000\001", '\000' <repeats
15 times>,
"|\000\000\000w\000\000\000o\000\000\000j\000\000\000\214\231^\004\362\177"
src_addr = ...
src_addr_len = 0x7ff1c0003514
rx_pkt = 0x7ff1c0002ed8 "ho\201\200"
rx_pkt_size = 512
status = 0
pj_x_except__ = {
state = {{
__jmpbuf = {140676571091936, 748226197904433297,
140676285084376, 94776830800816, 94776830803688, 140676571092592,
-756154092660973423, -756177114808442735},
__mask_was_saved = 0,
__saved_mask = {
__val = {3414590758286940160, 8016, 124, 94776826805152,
94776826805072, 140675613982752, 140678484584408, 566935683072, 8000,
455266533376, 7, 0, 140675613988968, 8048, 18446744073709551456, 125}
}
}},
prev = 0x0
}
pj_x_code__ = <optimized out>
#6 0x00007ff2045e73af in ioqueue_dispatch_read_event
(ioqueue=0x5632f35533b0, h=0x5632f3553e70) at
../src/pj/ioqueue_common_abs.c:605
read_op = 0x7ff1c00032d8
bytes_read = 262
has_lock = 0
rc = <optimized out>
ioqueue = 0x5632f35533b0
h = 0x5632f3553e70
rc = <optimized out>
#7 0x00007ff2045e88a3 in pj_ioqueue_poll (ioqueue=0x5632f35533b0,
timeout=timeout at entry=0x7ff1d10c5e20) at ../src/pj/ioqueue_select.c:1009
rfdset = {
data = {6, 1024, 0 <repeats 15 times>, 94776830801360, 0, 0,
20404, 113, 94776832952432, 94776830799856, 94776823271405,
94776830801472, 94776830801472, 94776830801232, 0, 0, 94776823223728, 0,
0, 0, 240, 128, 94776830802448, 3, 140678524199578, 0, 0,
94776830801360, 0, 0, 94776823223728, 0, 94776823272027, 0, 0, 0, 368,
128, 94776830801088, 3, 140678524199578, 0, 0, 94776830801232,
94776830801728, 0, 94776823223728, 0, 94776823271658, 0, 0, 0, 20405, 54113}
}
wfdset = {
data = {0 <repeats 17 times>, 3, 140678524199578, 0, 0,
94776830801728, 94776830802048, 0, 94776823223728, 0, 94776830801984, 0,
0, 0, 20405, 53857, 94776830801216, 140678488087712, 0, 0,
7308324466003108904, 8307, 64, 128, 94776830802160, 1, 94776823271495,
94776830802176, 94776830802176, 94776830801728, 94776830802304,
94776830801856, 94776823223728, 0, -15890, 0, 0, 0, 192, 128,
94776830801840, 3, 140678524199578, 0, 0, 94776830802048, 0, 0,
94776823223728, 0, 94776823272009, 0}
}
xfdset = {
data = {0 <repeats 18 times>, 20405, 53409, 94776830801216,
94776830801712, 0, 0, 94776830801712, 3, 140678524199578, 0, 0,
94776830801232, 0, 94776830801728, 94776823223728, 0, 94776823271527, 0,
0, 0, 20406, 53249, 94776830789360, 94776830801216, 0, 0, 0,
94776830789376, 0, 94776830801232, 94776823223728, 0, 94776823271489, 0,
0, 0, 20407, 53121, 94776830788832, 94776830789360, 0, 0, 0,
94776830788848, 0, 94776830789376, 94776823223728, 0, 94776823271439, 0}
}
nfds = <optimized out>
i = <optimized out>
count = <optimized out>
event_cnt = <optimized out>
processed_cnt = 0
h = <optimized out>
event = {{
key = 0x5632f3553e70,
event_type = READABLE_EVENT
}, {
key = 0x7ff19ab8d8c0,
event_type = 285628416
}, {
key = 0x206,
event_type = 4294967295
}, {
key = 0x7ff19ab8d870,
event_type = 4062678910
}, {
key = 0x206,
event_type = 4062679128
}, {
key = 0x1,
event_type = 4061178302
}, {
key = 0x5632f22790aa,
event_type = 2595805352
}, {
key = 0x5632f22790aa,
event_type = 4061178763
}, {
key = 0x0,
event_type = NO_EVENT
}, {
key = 0x0,
event_type = 660
}, {
key = 0x5632f2279240,
event_type = 285628416
}, {
key = 0x91,
event_type = NO_EVENT
}, {
key = 0x0,
event_type = 285628416
}, {
key = 0x206,
event_type = 285628416
}, {
key = 0x7ff198bcf7e0,
event_type = 285628416
}, {
key = 0x7ff140ae8008,
event_type = 4294967295
}}
#8 0x00007ff1dfdc9da8 in pjsip_endpt_handle_events2
(endpt=0x5632f336b398, max_timeout=max_timeout at entry=0x7ff1d10c5e70,
p_count=p_count at entry=0x0) at ../src/pjsip/sip_endpoint.c:744
timeout = {
sec = 0,
msec = 10
}
count = 2
net_event_count = 0
c = <optimized out>
#9 0x00007ff1dfdc9e47 in pjsip_endpt_handle_events (endpt=<optimized
out>, max_timeout=max_timeout at entry=0x7ff1d10c5e70) at
../src/pjsip/sip_endpoint.c:776
#10 0x00007ff2043a0e08 in monitor_thread_exec (endpt=<optimized out>) at
res_pjsip.c:4394
delay = {
sec = 0,
msec = 10
}
#11 0x00007ff2045e9c40 in thread_main (param=0x5632f3042268) at
../src/pj/os_core_unix.c:541
rec = 0x5632f3042268
result = <optimized out>
#12 0x00007ff243cf26db in start_thread (arg=0x7ff1d10c6700) at
pthread_create.c:463
pd = 0x7ff1d10c6700
now = <optimized out>
unwind_buf = {
cancel_jmp_buf = {{
jmp_buf = {140676571096832, 748226197904433297,
140676571094912, 0, 94776825487976, 140723842785296,
-756154092312846191, -754708779702411119},
mask_was_saved = 0
}},
priv = {
pad = {0x0, 0x0, 0x0, 0x0},
data = {
prev = 0x0,
cleanup = 0x0,
canceltype = 0
}
}
}
not_first_call = <optimized out>
#13 0x00007ff24322b88f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Also there is some strange data structure visible which kinda overwrote
parts of internal data structures starting at
57b:2bd8│ 0x5632f35532c8 ◂— 0xfffc001efffc001f
57c:2be0│ 0x5632f35532d0 ◂— 0xfffc001cfffc001d
57d:2be8│ 0x5632f35532d8 ◂— 0xfffc001afffc001b
57e:2bf0│ 0x5632f35532e0 ◂— 0xfffc0018fffc0019
57f:2bf8│ 0x5632f35532e8 ◂— 0xfffc0016fffc0017
580:2c00│ 0x5632f35532f0 ◂— 0xfffc0014fffc0015
581:2c08│ 0x5632f35532f8 ◂— 0xfffc0012fffc0013
582:2c10│ 0x5632f3553300 ◂— 0xfffc0010fffc0011
583:2c18│ 0x5632f3553308 ◂— 0xfffc000efffc000f
584:2c20│ 0x5632f3553310 ◂— 0xfffc000cfffc000d /* '\r' */
585:2c28│ 0x5632f3553318 ◂— 0xfffc000afffc000b /* '\x0b' */
586:2c30│ 0x5632f3553320 ◂— 0xfffc0008fffc0009 /* '\t' */
587:2c38│ 0x5632f3553328 ◂— 0xfffc0006fffc0007
588:2c40│ 0x5632f3553330 ◂— 0xfffc0004fffc0005
589:2c48│ 0x5632f3553338 ◂— 0xfffc0002fffc0003
58a:2c50│ 0x5632f3553340 —▸ 0x5632f3553368 ◂— 0x0
58b:2c58│ 0x5632f3553348 —▸ 0x7ff2045e9960 (pj_mutex_lock) ◂—
push rbp
58c:2c60│ 0x5632f3553350 —▸ 0x7ff2045e9de0 (pj_mutex_trylock) ◂—
push rbp
58d:2c68│ 0x5632f3553358 —▸ 0x7ff2045e9ba0 (pj_mutex_unlock) ◂—
test rdi, rdi
58e:2c70│ 0x5632f3553360 —▸ 0x7ff2045e9eb0 (pj_mutex_destroy) ◂—
test rdi, rdi
and going up like this overwriting areas of ioqueue.active_list in frame
7 and maybe more. It looks more or less like and reminds me of some
really broken pointer arithmetic;
(It could be possible that the variable value started at some higher
value and decreased down to this fragment)
...
...
...
write_list = {
prev = 0x5632f3553170,
next = 0x5632f2e195b0,
op = PJ_IOQUEUE_OP_NONE,
buf = 0x5632f2e25067 "",
size = 0,
written = 0,
flags = 0,
rmt_addr = {
sin_family = 0,
sin_port = 0,
sin_addr = {
s_addr = 20403
},
sin_zero = "\000\000\000\000\321\325\000"
},
rmt_addrlen = 0
},
accept_list = {
prev = 0x5632f35506f0,
next = 0x5632f3552f70,
op = PJ_IOQUEUE_OP_NONE,
accept_fd = 0x0,
local_addr = 0x0,
rmt_addr = 0x5632f3550700,
addrlen = 0x5632f3553550
},
ref_count = 4082446208,
closing = 22066,
free_time = {
sec = 94776823223728,
msec = 0
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-bugs/attachments/20191118/a009af05/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xCA48069297929E12.asc
Type: application/pgp-keys
Size: 4634 bytes
Desc: not available
URL: <http://lists.digium.com/pipermail/asterisk-bugs/attachments/20191118/a009af05/attachment-0001.key>
More information about the asterisk-bugs
mailing list