[asterisk-bugs] [JIRA] (ASTERISK-28810) Segmentation fault in ast_manager_build_channel_state_string_prefix

Robert Sutton (JIRA) noreply at issues.asterisk.org
Mon May 25 20:11:25 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=250945#comment-250945 ] 

Robert Sutton commented on ASTERISK-28810:
------------------------------------------

I've now acquired a dozen occurrences of this and have identified the circumstances of the channels involved.

Firstly this always occurs after a line like this (For clarity this line was executed 26374 times resulting in 12 crashes over an 8 day period).
{noformat}
    -- AGI Script Executing Application: (bridge) Options: (PJSIP/123-000009cb,xpF)
{noformat}

There are 2 channels both in AGI:
      One in a loop stopping and starting playtones every 3 seconds.
      The other channel is orginated into dialplan and then into AGI and immediately answered and bridge is invoked with the first channel as the target 

In this example PJSIP/711-000009cb is in the AGI invoking playtones and PJSIP/trunk-00000da2 is the originated channel. I've left blank lines where I've edited out activity from other channels.
{noformat}
   -- Executing [agent-agi at dialer:4] Goto("PJSIP/711-000009cb", "agent-agi,1") in new stack
    -- Goto (dialer,agent-agi,1)
    -- Executing [agent-agi at dialer:1] Set("PJSIP/711-000009cb", "AGIEXITONHANGUP=yes") in new stack
    -- Executing [agent-agi at dialer:2] AGI("PJSIP/711-000009cb", "agi://127.0.0.1:4578/DialerAgentHold?DialJobId=&InternalDialerId=2506") in new stack
    -- AGI Script Executing Application: (Playtones) Options: (beep)
[May 18 16:27:14] ERROR[21047][C-0000084b]: indications.c:340 ast_playtones_start: Failed to parse tone part 'beep'
[May 18 16:27:14] ERROR[21047][C-0000084b]: indications.c:381 ast_playtones_start: No valid tone parts
[May 18 16:27:14] NOTICE[21047][C-0000084b]: app_playtones.c:98 handle_playtones: Unable to start playtones

    -- Executing [agent-agi at dialer:1] Set("PJSIP/trunk-00000da2", "AGIEXITONHANGUP=yes") in new stack
    -- Executing [agent-agi at dialer:2] AGI("PJSIP/trunk-00000da2", "agi://127.0.0.1:4578/DialerGateWay?DialJobId=1379&InternalDialerId=3489") in new stack

    -- AGI Script Executing Application: (bridge) Options: (PJSIP/711-000009cb,xpF)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0FRACK!, Failed assertion snapshot != NULL in ast_manager_build_channel_state_string_prefix (0) at line 497 in ast_manager_build_channel_state_string_prefix of manager_channels.c
  == Spawn extension (dialer, agent-agi, 2) exited non-zero on 'Surrogate/PJSIP/711-000009cb'
[May 18 16:27:24] ERROR[34]: manager_channels.c:497 ast_manager_build_channel_state_string_prefix: FRACK!, Failed assertion snapshot != NULL in ast_manager_build_channel_state_string_prefix (0)
    -- Channel PJSIP/711-000009cb joined 'simple_bridge' basic-bridge <7c366a46-c3cf-437a-8632-530462118869>
    -- Channel PJSIP/trunk-00000da2 joined 'simple_bridge' basic-bridge <7c366a46-c3cf-437a-8632-530462118869>
    -- <PJSIP/711-000009cb> Playing 'beep.alaw' (language 'en_AU')

[May 18 16:27:24] ERROR[34]:   Got 15 backtrace records
# 0: [0x5db45d] asterisk utils.c:2404 __ast_assert_failed()
# 1: [0x51d3fd] asterisk manager_channels.c:498 ast_manager_build_channel_state_string_prefix()
# 2: [0x51d818] asterisk manager_channels.c:570 ast_manager_build_channel_state_string()
# 3: [0x7f922d10dff5] res_agi.so res_agi.c:1427 agi_channel_to_ami()
# 4: [0x7f922d10e107] res_agi.so res_agi.c:1443 agi_exec_start_to_ami()
# 5: [0x5b414b] asterisk stasis_message.c:226 stasis_message_to_ami()
# 6: [0x628343] asterisk manager.c:1848 manager_default_msg_cb()
# 7: [0x5b48a6] asterisk stasis_message_router.c:202 router_dispatch()
# 8: [0x59fccd] asterisk stasis.c:780 subscription_invoke()
{noformat}



> Segmentation fault in ast_manager_build_channel_state_string_prefix
> -------------------------------------------------------------------
>
>                 Key: ASTERISK-28810
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28810
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/Channels
>    Affects Versions: 16.9.0
>         Environment: docker ubuntu 18.04
>            Reporter: Robert Sutton
>            Assignee: Unassigned
>         Attachments: patch.txt
>
>
> We are having daily core dumps.
> ast_manager_build_channel_state_string_prefix was passed a null snapshot, upon looking around the code base there are many paths where it is called with out first checking.
> This problem will keep happening if it is reliant on callers of this method to first check the arg. The simple solution is to do a null check on the snapshot in ast_manager_build_channel_state_string_prefix and return NULL.
> I will attach a patch shortly.
> #0  ast_manager_build_channel_state_string_prefix (snapshot=0x0, prefix=0x62f514 "") at manager_channels.c:496
>         out = <error reading variable out (Cannot access memory at address 0x7f794f496cd0)>
>         caller_name = <optimized out>
>         connected_name = <optimized out>
>         res = <optimized out>
>         __PRETTY_FUNCTION__ = "ast_manager_build_channel_state_string_prefix"



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list