[asterisk-bugs] [JIRA] (ASTERISK-29934) func_channels: Invalid memory management in CHANNELS can cause a crash
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Wed Feb 23 07:01:07 CST 2022
[ https://issues.asterisk.org/jira/browse/ASTERISK-29934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=258134#comment-258134 ]
Asterisk Team commented on ASTERISK-29934:
------------------------------------------
Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed.
A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.
Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.
Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/].
> func_channels: Invalid memory management in CHANNELS can cause a crash
> ----------------------------------------------------------------------
>
> Key: ASTERISK-29934
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29934
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Functions/func_channel
> Affects Versions: 18.9.0
> Environment: Debian 10
> Reporter: N A
>
> Reading the CHANNELS function can cause Asterisk to crash.
> However, I can't replicate this again on the same system so it appears to only happen occasionally.
> Backtrace:
> Thread 1 (Thread 0x7fa187d11700 (LWP 24280)):
> #0 0x00007fa1b0a7f7bb in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
> set = {__val = {134238211, 0, 32, 140331745047416, 0, 0, 0, 140332431832928, 3432, 94855944378196, 0, 94855944378196, 0, 94855944378202, 140331745046288, 0}}
> pid = <optimized out>
> tid = <optimized out>
> #1 0x00007fa1b0a6a535 in __GI_abort () at abort.c:79
> save_stage = 1
> act = {__sigaction_handler = {sa_handler = 0x7fa1ffffffff, sa_sigaction = 0x7fa1ffffffff}, sa_mask = {__val = {94855942253609, 0, 4042670559465613056, 140331745046672, 140331745046672, 968, 94855944578990, 140331745047096, 140332152169888, 140331766019736, 140332430526368, 4222451713, 140331766019736, 140331766019736, 140331745046752, 140331745047008}}, sa_flags = -2016382752, sa_restorer = 0x1000}
> sigs = {__val = {32, 0 <repeats 15 times>}}
> #2 0x00007fa1b0ac1508 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7fa1b0bcc28d "%sn") at ../sysdeps/posix/libc_fatal.c:181
> ap = {{gp_offset = 24, fp_offset = 32673, overflow_arg_area = 0x7fa187d071f0, reg_save_area = 0x7fa187d07180}}
> fd = 2
> list = <optimized out>
> nlist = <optimized out>
> cp = <optimized out>
> written = <optimized out>
> #3 0x00007fa1b0ac7c1a in malloc_printerr (str=str at entry=0x7fa1b0bce428 "malloc(): mismatching next->prev_size (unsorted)") at malloc.c:5341
> #4 0x00007fa1b0acaefc in _int_malloc (av=av at entry=0x7fa188000020, bytes=bytes at entry=968) at malloc.c:3737
> next = <optimized out>
> iters = <optimized out>
> nb = 976
> idx = 61
> bin = <optimized out>
> victim = <optimized out>
> size = <optimized out>
> victim_index = <optimized out>
> remainder = <optimized out>
> remainder_size = <optimized out>
> block = <optimized out>
> bit = <optimized out>
> map = <optimized out>
> fwd = <optimized out>
> bck = <optimized out>
> tcache_unsorted_count = 5
> tcache_nb = 976
> tc_idx = 59
> return_cached = 0
> __PRETTY_FUNCTION__ = "_int_malloc"
> #5 0x00007fa1b0acc56a in __GI___libc_malloc (bytes=bytes at entry=968) at malloc.c:3057
> ar_ptr = 0x7fa188000020
> victim = <optimized out>
> hook = <optimized out>
> tbytes = <optimized out>
> tc_idx = 59
> __PRETTY_FUNCTION__ = "__libc_malloc"
> #6 0x00007fa1b0b191fd in create_token_tree (left=left at entry=0x7fa188074bd8, right=right at entry=0x7fa188074c18, token=<optimized out>, dfa=<optimized out>, dfa=<optimized out>) at regcomp.c:3828
> storage = <optimized out>
> tree = <optimized out>
> #7 0x00007fa1b0b24b1d in create_tree (type=CONCAT, right=0x7fa188074c18, left=0x7fa188074bd8, dfa=0x7fa18805aac0) at regcomp.c:3818
> t = {opr = {c = 0 '000', sbcset = 0x200, mbcset = 0x200, idx = 512, ctx_type = NOT_WORD_DELIM}, type = CONCAT, constraint = 118, duplicated = 0, opt_subexp = 0, accept_mb = 1, mb_partial = 0, word_char = 1}
> newtree = <optimized out>
> tree = 0x7fa188074bd8
> expr = 0x7fa188074c18
> dfa = 0x7fa18805aac0
> #8 0x00007fa1b0b24b1d in parse_branch (regexp=regexp at entry=0x7fa187d074a0, preg=preg at entry=0x7fa187d075c0, token=token at entry=0x7fa187d07480, syntax=syntax at entry=4436732, nest=nest at entry=0, err=err at entry=0x7fa187d0747c) at regcomp.c:2237
> newtree = <optimized out>
> tree = 0x7fa188074bd8
> expr = 0x7fa188074c18
> dfa = 0x7fa18805aac0
> #9 0x00007fa1b0b24c18 in parse_reg_exp (regexp=regexp at entry=0x7fa187d074a0, preg=preg at entry=0x7fa187d075c0, token=token at entry=0x7fa187d07480, syntax=syntax at entry=4436732, nest=nest at entry=0, err=err at entry=0x7fa187d0747c) at regcomp.c:2173
> dfa = 0x7fa18805aac0
> tree = <optimized out>
> branch = 0x0
> initial_bkref_map = 0
> #10 0x00007fa1b0b25136 in parse (err=0x7fa187d0747c, syntax=4436732, preg=0x7fa187d075c0, regexp=0x7fa187d074a0) at regcomp.c:2141
> dfa = 0x7fa18805aac0
> tree = <optimized out>
> root = <optimized out>
> current_token = {opr = {c = 83 'S', sbcset = 0x53, mbcset = 0x53, idx = 83, ctx_type = 83}, type = CHARACTER, constraint = 279, duplicated = 0, opt_subexp = 0, accept_mb = 1, mb_partial = 0, word_char = 1}
> eor = <optimized out>
> err = _REG_NOERROR
> dfa = 0x7fa18805aac0
> regexp = {raw_mbs = 0x7fa187d07669 "SIP/ATAxGrandstream1", mbs = 0x7fa18920be30 "^\BSIP/ATAXGRANDSTREAM1", wcs = 0x0, offsets = 0x0, cur_state = {__count = 0, __value = {__wch = 0, __wchb = "000000000"}}, raw_mbs_idx = 0, valid_len = 23, valid_raw_len = 23, bufs_len = 24, cur_idx = 17, raw_len = 23, len = 23, raw_stop = 23, stop = 23, tip_context = 0, trans = 0x0, word_char = 0x0, icase = 1 '001', is_utf8 = 0 '000', map_notascii = 0 '000', mbs_allocated = 1 '001', offsets_needed = 0 '000', newline_anchor = 0 '000', word_ops_used = 0 '000', mb_cur_max = 1}
> #11 0x00007fa1b0b25136 in re_compile_internal (preg=<optimized out>, pattern=<optimized out>, length=<optimized out>, syntax=<optimized out>) at regcomp.c:803
> err = _REG_NOERROR
> dfa = 0x7fa18805aac0
> regexp = {raw_mbs = 0x7fa187d07669 "SIP/ATAxGrandstream1", mbs = 0x7fa18920be30 "^\BSIP/ATAXGRANDSTREAM1", wcs = 0x0, offsets = 0x0, cur_state = {__count = 0, __value = {__wch = 0, __wchb = "000000000"}}, raw_mbs_idx = 0, valid_len = 23, valid_raw_len = 23, bufs_len = 24, cur_idx = 17, raw_len = 23, len = 23, raw_stop = 23, stop = 23, tip_context = 0, trans = 0x0, word_char = 0x0, icase = 1 '001', is_utf8 = 0 '000', map_notascii = 0 '000', mbs_allocated = 1 '001', offsets_needed = 0 '000', newline_anchor = 0 '000', word_ops_used = 0 '000', mb_cur_max = 1}
> #12 0x00007fa1b0b2637c in __GI___regcomp (preg=0x7fa187d075c0, pattern=0x7fa187d07669 "SIP/ATAxGrandstream1", cflags=<optimized out>) at regcomp.c:497
> ret = <optimized out>
> syntax = 4436732
> #13 0x00007fa18e8a75bb in func_channels_read (chan=0x7fa1a914e1e0, function=0x7fa187d07660 "CHANNELS", data=0x7fa187d07669 "SIP/ATAxGrandstream1", buf=0x7fa187d07750 "", maxlen=4096) at func_channel.c:729
> c = 0x0
> re = {buffer = 0x7fa18805aac0, allocated = 224, used = 224, syntax = 4436732, fastmap = 0x7fa1893a70e0 "200001", translate = 0x0, re_nsub = 0, can_be_null = 0, regs_allocated = 0, fastmap_accurate = 0, no_sub = 1, not_bol = 0, not_eol = 0, newline_anchor = 0}
> res = 22085
> buflen = 0
> iter = 0x7fa187d07640
> __FUNCTION__ = "func_channels_read"
> __PRETTY_FUNCTION__ = "func_channels_read"
> #14 0x000056455ecdde61 in ast_func_read (chan=0x7fa1a914e1e0, function=0x7fa187d09790 "CHANNELS(SIP/ATAxGrandstream1)", workspace=0x7fa187d07750 "", len=4096) at pbx_functions.c:617
> copy = 0x7fa187d07660 "CHANNELS"
> args = 0x7fa187d07669 "SIP/ATAxGrandstream1"
> acfptr = 0x7fa18e8aa440 <channels_function>
> res = 20
> u = 0x7fa18920a830
> __FUNCTION__ = "ast_func_read"
> __PRETTY_FUNCTION__ = "ast_func_read"
> #15 0x000056455ece264e in pbx_substitute_variables_helper_full_location (c=0x7fa1a914e1e0, headp=0x7fa1a914e9c0, cp1=0x7fa187d0b890 "EXISTS(${CHANNELS(${fullpeername})})", cp2=0x7fa187d0c897 "", count=4088, used=0x0, context=0x0, exten=0x0, pri=0) at pbx_variables.c:747
> offset2 = 2147483647
> isfunction = 1
> cp4 = 0x0
> workspace = '000' <repeats 4095 times>
> offset = 0
> pos = 7
> nextvar = 0x7fa187d0b897 "${CHANNELS(${fullpeername})})"
> vars = 0x7fa187d09790 "CHANNELS(SIP/ATAxGrandstream1)"
> brackets = 0
> needsub = 1
> nextexp = 0x0
> nextthing = 0x7fa187d0b897 "${CHANNELS(${fullpeername})})"
> vare = 0x7fa187d0b8b6 ")"
> length = 32673
> len = 28
> whereweare = 0x7fa187d0b8b6 ")"
> orig_cp2 = 0x7fa187d0c890 "EXISTS("
> ltmp = "CHANNELS(SIP/ATAxGrandstream1)", '000' <repeats 1279 times>...
> var = "CHANNELS(${fullpeername})", '000' <repeats 1956 times>...
> __FUNCTION__ = "pbx_substitute_variables_helper_full_location"
> __PRETTY_FUNCTION__ = "pbx_substitute_variables_helper_full_location"
> #16 0x000056455ece25d0 in pbx_substitute_variables_helper_full_location (c=0x7fa1a914e1e0, headp=0x7fa1a914e9c0, cp1=0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}", cp2=0x7fa187d0da30 "", count=8191, used=0x0, context=0x0, exten=0x0, pri=0) at pbx_variables.c:737
> offset2 = 1870341160
> isfunction = 1414419791
> cp4 = 0x0
> workspace = '000' <repeats 4095 times>
> offset = 1816165733
> pos = 0
> nextvar = 0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}"
> vars = 0x7fa187d0d9a2 "EXISTS(${CHANNELS(${fullpeername})})}"
> brackets = 0
> needsub = 2
> nextexp = 0x0
> nextthing = 0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}"
> vare = 0x7fa187d0d9ca ""
> length = 0
> len = 39
> whereweare = 0x7fa187d0d9ca ""
> orig_cp2 = 0x7fa187d0da30 ""
> ltmp = "EXISTS(000EN(device-oe,ATAxGrandstream1,1)000003300260241177000000d000000000000000000000254222253260241177000000320340336^EV000000340J207220241177000000 312Ї241177000000HA276^EV000000002000000000000000000000000247340pts032070360u342^EV000000300316Ї241177000000260316Ї241177000000B000000000000000000000`320Ї241177000000L323342^EV000000`003300260241177000000022201251260241177000000360206300260241177000000l5312^000000000000254 ", '000' <repeats 26 times>...
> var = "EXISTS(${CHANNELS(${fullpeername})})000/,2)},1)", '000' <repeats 2872 times>...
> __FUNCTION__ = "pbx_substitute_variables_helper_full_location"
> __PRETTY_FUNCTION__ = "pbx_substitute_variables_helper_full_location"
> #17 0x000056455ece230c in pbx_substitute_variables_helper_full (c=0x7fa1a914e1e0, headp=0x7fa1a914e9c0, cp1=0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}", cp2=0x7fa187d0da30 "", count=8191, used=0x0) at pbx_variables.c:629
> #18 0x000056455ece2cdf in pbx_substitute_variables_helper (c=0x7fa1a914e1e0, cp1=0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}", cp2=0x7fa187d0da30 "", count=8191) at pbx_variables.c:855
> #19 0x000056455ecc1abe in pbx_extension_helper (c=0x7fa1a914e1e0, con=0x0, context=0x7fa1a914eba0 "callwaiting", exten=0x7fa1a914ebf0 "SIP/ATAxGrandstream1", priority=7, label=0x0, callerid=0x7fa1a91b0ee0 "2127", action=E_SPAWN, found=0x7fa187d10ccc, combined_find_spawn=1) at pbx.c:2936
> e = 0x7fa1a5839dc0
> app = 0x56456031fa30
> substitute = 0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}"
> q = {incstack = {0x0 <repeats 512 times>}, stacklen = 0, status = 5, swo = 0x0, data = 0x0, foundcontext = 0x7fa1a914eba0 "callwaiting"}
> passdata = "000?Hangup(7)000,10000/ATAxGrandstream1000tent,evan,1000,*,*,evan000ngs000s000zed,CONFBRIDGE(user,marked)=yes,CONFBRIDGE(user,timeout)=86400,CONFBRIDGE(user,dtmf_passthrough)=no000070066063,DB(astrex/tn/4002347863/lastcall/0"...
> matching_action = 0
> __FUNCTION__ = "pbx_extension_helper"
> #20 0x000056455ecc5e72 in ast_spawn_extension (c=0x7fa1a914e1e0, context=0x7fa1a914eba0 "callwaiting", exten=0x7fa1a914ebf0 "SIP/ATAxGrandstream1", priority=7, callerid=0x7fa1a91b0ee0 "2127", found=0x7fa187d10ccc, combined_find_spawn=1) at pbx.c:4206
> #21 0x000056455ecc6b8f in __ast_pbx_run (c=0x7fa1a914e1e0, args=0x0) at pbx.c:4380
> digit = 0
> invalid = 0
> timeout = 0
> dst_exten = "000340336^EV000000340002V250241177000000320fч241177000000235 at 276^EV000000347H340^EV000000b312337^EV000000361203337^EV000000000000000000000000000000;n000000377377377377 003V250241177000000 at fч241177000000340002V250241177000000212024343^EV000000340.343^EV000000212024343^261016000000244361342^EV000000D004000000257016000000244361342^000000000000220fч241177000000:4276^EV000000220fч241177000000212024343^EV000000000000000000261016000000340.343^EV000000 000000000000000000000 003V250"...
> pos = 0
> found = 1
> res = 0
> autoloopflag = 0
> error = 0
> pbx = 0x7fa18979d2c0
> callid = 0
> __FUNCTION__ = "__ast_pbx_run"
> __PRETTY_FUNCTION__ = "__ast_pbx_run"
> #22 0x000056455ecc8408 in pbx_thread (data=0x7fa1a914e1e0) at pbx.c:4704
> c = 0x7fa1a914e1e0
> #23 0x000056455ed69749 in dummy_start (data=0x7fa1a8e6dbe0) at utils.c:1572
> __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {0, 3499354240092836261, 140331732578638, 140331732578639, 140331745089280, 140332152169888, 3499354239983784357, 7158900602537611685}, __mask_was_saved = 0}}, __pad = {0x7fa187d10ed0, 0x0, 0x381a737470e0a700, 0x0}}
> __cancel_routine = 0x56455ebd8621 <ast_unregister_thread>
> __cancel_arg = 0x7fa187d11700
> __not_first_call = 0
> ret = 0x7fa1a014a5a0
> a = {start_routine = 0x56455ecc83e3 <pbx_thread>, data = 0x7fa1a914e1e0, name = 0x7fa1a8135db0 "pbx_thread", ' ' <repeats 11 times>, "started at [ 4730] pbx.c ast_pbx_start()"}
> __PRETTY_FUNCTION__ = "dummy_start"
> #24 0x00007fa1b10adfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
> ret = <optimized out>
> pd = <optimized out>
> now = <optimized out>
> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140331745089280, -3471365440882765403, 140331732578638, 140331732578639, 140331745089280, 140332152169888, 3499354240078156197, 3499395401382859173}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
> not_first_call = <optimized out>
> #25 0x00007fa1b0b414cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list