[asterisk-bugs] [JIRA] (ASTERISK-28794) res_pjsip: Crash when escaping during URI printing

nappsoft (JIRA) noreply at issues.asterisk.org
Tue Mar 31 11:10:25 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28794?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=250072#comment-250072 ] 

nappsoft commented on ASTERISK-28794:
-------------------------------------

Yes, asterisk always crashes at the same address, so the "end" of the backtrace is always the same: in pj_strncpy2_escape () from /usr/lib/libpjlib-util.so.2

However as we do not have that much disk space on these systems we usually have coredumps deactivated. But thanks to dmesg I can confirm that asterisk always crashes in the same function.

The way I was able to make the crashes more frequent was to have a sip-registration to a host that does not answer. (So maybe in the end it has to do with retransmitted SIP messages and memory that is freed too early or so?). On the otherhand it does not seem to depend on load: we have a system up and running with the same version and the same malloc implementation for several weeks with lots 15-30 parallel calls and about 100 connected phones over TLS where we did not observer any single crash while the sytem in question, where the crash was happening frequently only has 5 connected devices and is crashing while not one single call is going on.

I understand that musl libc is not the main libc you're targetting. However I don't think that the race condition is depending on a musl einvironment. (If there was a fundamental malloc bug in musl the application would not always and ONLY crash at the same place I guess...)

> res_pjsip: Crash when escaping during URI printing
> --------------------------------------------------
>
>                 Key: ASTERISK-28794
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28794
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip, Resources/res_pjsip
>    Affects Versions: 16.9.0
>         Environment: musl libc based linux
>            Reporter: nappsoft
>            Assignee: nappsoft
>            Severity: Minor
>
> Hi,
> We are observing a frequent crash which seems to be a regression as this didn't happen with asterisk 16.9.0.
> In the system this happens most frequently (almost exactly every 15 minutes) we have an outbound registration that is not answering (currently not reachable). As soon as we remove the references to this system (aor, endpoint, registration, ...) it doesn't happen any longer. 
> However we also observed the same crashes on other systems with asterisk 16.9.0 where we do not have such a system configured. So it seems like this can with other (possibliy temporarily) because of other unreachable contacts as well.
> The backtrace is the following:
> #0  0x00007f937e830725 in pj_strncpy2_escape () from /usr/lib/libpjlib-util.so.2
> No symbol table info available.
> #1  0x00007f937e8e2239 in pjsip_url_print () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #2  0x00007f937e8e19e4 in pjsip_name_addr_print () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #3  0x00007f937e8da580 in pjsip_contact_hdr_print () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #4  0x00007f937e8db6f6 in pjsip_msg_print () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #5  0x00007f937e8e80bb in pjsip_tx_data_encode () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #6  0x00007f937e8e2b26 in endpt_on_tx_msg () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #7  0x00007f937e8e8ab5 in pjsip_transport_send () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #8  0x00007f937e8f5bd0 in tsx_send_msg () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #9  0x00007f937e8f560e in tsx_timer_callback () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #10 0x00007f937e7c9b04 in pj_timer_heap_poll () from /usr/lib/libpj.so.2
> No symbol table info available.
> #11 0x00007f937e8e33eb in pjsip_endpt_handle_events2 () from /usr/lib/libpjsip.so.2
> No symbol table info available.
> #12 0x00007f937e24bfb8 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:4721
>         delay = {sec = 0, msec = 10}
> #13 0x00007f937e7b8946 in thread_main () from /usr/lib/libpj.so.2
> No symbol table info available.
> #14 0x00007f938029cb82 in sem_open () from /lib/ld-musl-x86_64.so.1
> No symbol table info available.
> #15 0x00007f937d1f9000 in ?? ()
> No symbol table info available.
> #16 0x00007f938029ec48 in __strftime_fmt_1 () from /lib/ld-musl-x86_64.so.1
> No symbol table info available.
> #17 0x0000000000000000 in ?? ()
> No symbol table info available.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list