[asterisk-bugs] [JIRA] (ASTERISK-28810) Segmentation fault in ast_manager_build_channel_state_string_prefix

Robert Sutton (JIRA) noreply at issues.asterisk.org
Mon May 18 18:43:25 CDT 2020


    [ https://issues.asterisk.org/jira/browse/ASTERISK-28810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=250852#comment-250852 ] 

Robert Sutton commented on ASTERISK-28810:
------------------------------------------

I've acquired a couple identical backtraces from 2 systems

Running asterisk 16.10

[May 15 17:16:11] ERROR[33]:   Got 15 backtrace records
# 0: [0x5db45d] asterisk utils.c:2404 __ast_assert_failed()
# 1: [0x51d3fd] asterisk manager_channels.c:498 ast_manager_build_channel_state_string_prefix()
# 2: [0x51d818] asterisk manager_channels.c:570 ast_manager_build_channel_state_string()
# 3: [0x7feccd91dff5] res_agi.so res_agi.c:1427 agi_channel_to_ami()
# 4: [0x7feccd91e107] res_agi.so res_agi.c:1443 agi_exec_start_to_ami()
# 5: [0x5b414b] asterisk stasis_message.c:226 stasis_message_to_ami()
# 6: [0x628343] asterisk manager.c:1848 manager_default_msg_cb()
# 7: [0x5b48a6] asterisk stasis_message_router.c:202 router_dispatch()
# 8: [0x59fccd] asterisk stasis.c:780 subscription_invoke()
# 9: [0x5a0f7f] asterisk stasis.c:1260 dispatch_exec_async()
#10: [0x5c5720] asterisk taskprocessor.c:1235 ast_taskprocessor_execute()
#11: [0x5c2755] asterisk taskprocessor.c:201 default_tps_processing_function()
#12: [0x5d83b7] asterisk utils.c:1249 dummy_start()
#13: [0x7fed1a66a6ba] libpthread.so.0 :0 __pthread_get_minstack()
#14: [0x7fed198ff41d] libc.so.6 :0 clone()

with this patch applied

diff --git a/main/manager_channels.c b/main/manager_channels.c
index c964033..25b5c65 100644
--- a/main/manager_channels.c
+++ b/main/manager_channels.c
@@ -493,6 +493,11 @@ struct ast_str *ast_manager_build_channel_state_string_prefix(
        char *connected_name;
        int res;
 
+       if (!snapshot) {
+               __ast_assert_failed(0, "snapshot != NULL in ast_manager_build_channel_state_string_prefix",__FILE__,__LINE__,__PRETTY_FUNCTION__);
+               return NULL;
+       }
+
        if (snapshot->tech_properties & AST_CHAN_TP_INTERNAL) {
                return NULL;
        }

and this one too 

[May 15 15:19:03] ERROR[33]:   Got 15 backtrace records
# 0: [0x5db45d] asterisk utils.c:2404 __ast_assert_failed()
# 1: [0x51d3fd] asterisk manager_channels.c:498 ast_manager_build_channel_state_string_prefix()
# 2: [0x51d818] asterisk manager_channels.c:570 ast_manager_build_channel_state_string()
# 3: [0x7feccd91dff5] res_agi.so res_agi.c:1427 agi_channel_to_ami()
# 4: [0x7feccd91e128] res_agi.so res_agi.c:1448 agi_exec_end_to_ami()
# 5: [0x5b414b] asterisk stasis_message.c:226 stasis_message_to_ami()
# 6: [0x628343] asterisk manager.c:1848 manager_default_msg_cb()
# 7: [0x5b48a6] asterisk stasis_message_router.c:202 router_dispatch()
# 8: [0x59fccd] asterisk stasis.c:780 subscription_invoke()
# 9: [0x5a0f7f] asterisk stasis.c:1260 dispatch_exec_async()
#10: [0x5c5720] asterisk taskprocessor.c:1235 ast_taskprocessor_execute()
#11: [0x5c2755] asterisk taskprocessor.c:201 default_tps_processing_function()
#12: [0x5d83b7] asterisk utils.c:1249 dummy_start()
#13: [0x7fed1a66a6ba] libpthread.so.0 :0 __pthread_get_minstack()
#14: [0x7fed198ff41d] libc.so.6 :0 clone()



> Segmentation fault in ast_manager_build_channel_state_string_prefix
> -------------------------------------------------------------------
>
>                 Key: ASTERISK-28810
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28810
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/Channels
>    Affects Versions: 16.9.0
>         Environment: docker ubuntu 18.04
>            Reporter: Robert Sutton
>            Assignee: Unassigned
>         Attachments: patch.txt
>
>
> We are having daily core dumps.
> ast_manager_build_channel_state_string_prefix was passed a null snapshot, upon looking around the code base there are many paths where it is called with out first checking.
> This problem will keep happening if it is reliant on callers of this method to first check the arg. The simple solution is to do a null check on the snapshot in ast_manager_build_channel_state_string_prefix and return NULL.
> I will attach a patch shortly.
> #0  ast_manager_build_channel_state_string_prefix (snapshot=0x0, prefix=0x62f514 "") at manager_channels.c:496
>         out = <error reading variable out (Cannot access memory at address 0x7f794f496cd0)>
>         caller_name = <optimized out>
>         connected_name = <optimized out>
>         res = <optimized out>
>         __PRETTY_FUNCTION__ = "ast_manager_build_channel_state_string_prefix"



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list