[asterisk-bugs] [JIRA] (ASTERISK-29934) func_channels: Invalid memory management in CHANNELS can cause a crash
Joshua C. Colp (JIRA)
noreply at issues.asterisk.org
Wed Feb 23 07:09:06 CST 2022
[ https://issues.asterisk.org/jira/browse/ASTERISK-29934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joshua C. Colp updated ASTERISK-29934:
--------------------------------------
Description:
Reading the CHANNELS function can cause Asterisk to crash.
However, I can't replicate this again on the same system so it appears to only happen occasionally.
was:
Reading the CHANNELS function can cause Asterisk to crash.
However, I can't replicate this again on the same system so it appears to only happen occasionally.
Backtrace:
Thread 1 (Thread 0x7fa187d11700 (LWP 24280)):
#0 0x00007fa1b0a7f7bb in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
set = {__val = {134238211, 0, 32, 140331745047416, 0, 0, 0, 140332431832928, 3432, 94855944378196, 0, 94855944378196, 0, 94855944378202, 140331745046288, 0}}
pid = <optimized out>
tid = <optimized out>
#1 0x00007fa1b0a6a535 in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x7fa1ffffffff, sa_sigaction = 0x7fa1ffffffff}, sa_mask = {__val = {94855942253609, 0, 4042670559465613056, 140331745046672, 140331745046672, 968, 94855944578990, 140331745047096, 140332152169888, 140331766019736, 140332430526368, 4222451713, 140331766019736, 140331766019736, 140331745046752, 140331745047008}}, sa_flags = -2016382752, sa_restorer = 0x1000}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007fa1b0ac1508 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7fa1b0bcc28d "%sn") at ../sysdeps/posix/libc_fatal.c:181
ap = {{gp_offset = 24, fp_offset = 32673, overflow_arg_area = 0x7fa187d071f0, reg_save_area = 0x7fa187d07180}}
fd = 2
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
#3 0x00007fa1b0ac7c1a in malloc_printerr (str=str at entry=0x7fa1b0bce428 "malloc(): mismatching next->prev_size (unsorted)") at malloc.c:5341
#4 0x00007fa1b0acaefc in _int_malloc (av=av at entry=0x7fa188000020, bytes=bytes at entry=968) at malloc.c:3737
next = <optimized out>
iters = <optimized out>
nb = 976
idx = 61
bin = <optimized out>
victim = <optimized out>
size = <optimized out>
victim_index = <optimized out>
remainder = <optimized out>
remainder_size = <optimized out>
block = <optimized out>
bit = <optimized out>
map = <optimized out>
fwd = <optimized out>
bck = <optimized out>
tcache_unsorted_count = 5
tcache_nb = 976
tc_idx = 59
return_cached = 0
__PRETTY_FUNCTION__ = "_int_malloc"
#5 0x00007fa1b0acc56a in __GI___libc_malloc (bytes=bytes at entry=968) at malloc.c:3057
ar_ptr = 0x7fa188000020
victim = <optimized out>
hook = <optimized out>
tbytes = <optimized out>
tc_idx = 59
__PRETTY_FUNCTION__ = "__libc_malloc"
#6 0x00007fa1b0b191fd in create_token_tree (left=left at entry=0x7fa188074bd8, right=right at entry=0x7fa188074c18, token=<optimized out>, dfa=<optimized out>, dfa=<optimized out>) at regcomp.c:3828
storage = <optimized out>
tree = <optimized out>
#7 0x00007fa1b0b24b1d in create_tree (type=CONCAT, right=0x7fa188074c18, left=0x7fa188074bd8, dfa=0x7fa18805aac0) at regcomp.c:3818
t = {opr = {c = 0 '000', sbcset = 0x200, mbcset = 0x200, idx = 512, ctx_type = NOT_WORD_DELIM}, type = CONCAT, constraint = 118, duplicated = 0, opt_subexp = 0, accept_mb = 1, mb_partial = 0, word_char = 1}
newtree = <optimized out>
tree = 0x7fa188074bd8
expr = 0x7fa188074c18
dfa = 0x7fa18805aac0
#8 0x00007fa1b0b24b1d in parse_branch (regexp=regexp at entry=0x7fa187d074a0, preg=preg at entry=0x7fa187d075c0, token=token at entry=0x7fa187d07480, syntax=syntax at entry=4436732, nest=nest at entry=0, err=err at entry=0x7fa187d0747c) at regcomp.c:2237
newtree = <optimized out>
tree = 0x7fa188074bd8
expr = 0x7fa188074c18
dfa = 0x7fa18805aac0
#9 0x00007fa1b0b24c18 in parse_reg_exp (regexp=regexp at entry=0x7fa187d074a0, preg=preg at entry=0x7fa187d075c0, token=token at entry=0x7fa187d07480, syntax=syntax at entry=4436732, nest=nest at entry=0, err=err at entry=0x7fa187d0747c) at regcomp.c:2173
dfa = 0x7fa18805aac0
tree = <optimized out>
branch = 0x0
initial_bkref_map = 0
#10 0x00007fa1b0b25136 in parse (err=0x7fa187d0747c, syntax=4436732, preg=0x7fa187d075c0, regexp=0x7fa187d074a0) at regcomp.c:2141
dfa = 0x7fa18805aac0
tree = <optimized out>
root = <optimized out>
current_token = {opr = {c = 83 'S', sbcset = 0x53, mbcset = 0x53, idx = 83, ctx_type = 83}, type = CHARACTER, constraint = 279, duplicated = 0, opt_subexp = 0, accept_mb = 1, mb_partial = 0, word_char = 1}
eor = <optimized out>
err = _REG_NOERROR
dfa = 0x7fa18805aac0
regexp = {raw_mbs = 0x7fa187d07669 "SIP/ATAxGrandstream1", mbs = 0x7fa18920be30 "^\BSIP/ATAXGRANDSTREAM1", wcs = 0x0, offsets = 0x0, cur_state = {__count = 0, __value = {__wch = 0, __wchb = "000000000"}}, raw_mbs_idx = 0, valid_len = 23, valid_raw_len = 23, bufs_len = 24, cur_idx = 17, raw_len = 23, len = 23, raw_stop = 23, stop = 23, tip_context = 0, trans = 0x0, word_char = 0x0, icase = 1 '001', is_utf8 = 0 '000', map_notascii = 0 '000', mbs_allocated = 1 '001', offsets_needed = 0 '000', newline_anchor = 0 '000', word_ops_used = 0 '000', mb_cur_max = 1}
#11 0x00007fa1b0b25136 in re_compile_internal (preg=<optimized out>, pattern=<optimized out>, length=<optimized out>, syntax=<optimized out>) at regcomp.c:803
err = _REG_NOERROR
dfa = 0x7fa18805aac0
regexp = {raw_mbs = 0x7fa187d07669 "SIP/ATAxGrandstream1", mbs = 0x7fa18920be30 "^\BSIP/ATAXGRANDSTREAM1", wcs = 0x0, offsets = 0x0, cur_state = {__count = 0, __value = {__wch = 0, __wchb = "000000000"}}, raw_mbs_idx = 0, valid_len = 23, valid_raw_len = 23, bufs_len = 24, cur_idx = 17, raw_len = 23, len = 23, raw_stop = 23, stop = 23, tip_context = 0, trans = 0x0, word_char = 0x0, icase = 1 '001', is_utf8 = 0 '000', map_notascii = 0 '000', mbs_allocated = 1 '001', offsets_needed = 0 '000', newline_anchor = 0 '000', word_ops_used = 0 '000', mb_cur_max = 1}
#12 0x00007fa1b0b2637c in __GI___regcomp (preg=0x7fa187d075c0, pattern=0x7fa187d07669 "SIP/ATAxGrandstream1", cflags=<optimized out>) at regcomp.c:497
ret = <optimized out>
syntax = 4436732
#13 0x00007fa18e8a75bb in func_channels_read (chan=0x7fa1a914e1e0, function=0x7fa187d07660 "CHANNELS", data=0x7fa187d07669 "SIP/ATAxGrandstream1", buf=0x7fa187d07750 "", maxlen=4096) at func_channel.c:729
c = 0x0
re = {buffer = 0x7fa18805aac0, allocated = 224, used = 224, syntax = 4436732, fastmap = 0x7fa1893a70e0 "200001", translate = 0x0, re_nsub = 0, can_be_null = 0, regs_allocated = 0, fastmap_accurate = 0, no_sub = 1, not_bol = 0, not_eol = 0, newline_anchor = 0}
res = 22085
buflen = 0
iter = 0x7fa187d07640
__FUNCTION__ = "func_channels_read"
__PRETTY_FUNCTION__ = "func_channels_read"
#14 0x000056455ecdde61 in ast_func_read (chan=0x7fa1a914e1e0, function=0x7fa187d09790 "CHANNELS(SIP/ATAxGrandstream1)", workspace=0x7fa187d07750 "", len=4096) at pbx_functions.c:617
copy = 0x7fa187d07660 "CHANNELS"
args = 0x7fa187d07669 "SIP/ATAxGrandstream1"
acfptr = 0x7fa18e8aa440 <channels_function>
res = 20
u = 0x7fa18920a830
__FUNCTION__ = "ast_func_read"
__PRETTY_FUNCTION__ = "ast_func_read"
#15 0x000056455ece264e in pbx_substitute_variables_helper_full_location (c=0x7fa1a914e1e0, headp=0x7fa1a914e9c0, cp1=0x7fa187d0b890 "EXISTS(${CHANNELS(${fullpeername})})", cp2=0x7fa187d0c897 "", count=4088, used=0x0, context=0x0, exten=0x0, pri=0) at pbx_variables.c:747
offset2 = 2147483647
isfunction = 1
cp4 = 0x0
workspace = '000' <repeats 4095 times>
offset = 0
pos = 7
nextvar = 0x7fa187d0b897 "${CHANNELS(${fullpeername})})"
vars = 0x7fa187d09790 "CHANNELS(SIP/ATAxGrandstream1)"
brackets = 0
needsub = 1
nextexp = 0x0
nextthing = 0x7fa187d0b897 "${CHANNELS(${fullpeername})})"
vare = 0x7fa187d0b8b6 ")"
length = 32673
len = 28
whereweare = 0x7fa187d0b8b6 ")"
orig_cp2 = 0x7fa187d0c890 "EXISTS("
ltmp = "CHANNELS(SIP/ATAxGrandstream1)", '000' <repeats 1279 times>...
var = "CHANNELS(${fullpeername})", '000' <repeats 1956 times>...
__FUNCTION__ = "pbx_substitute_variables_helper_full_location"
__PRETTY_FUNCTION__ = "pbx_substitute_variables_helper_full_location"
#16 0x000056455ece25d0 in pbx_substitute_variables_helper_full_location (c=0x7fa1a914e1e0, headp=0x7fa1a914e9c0, cp1=0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}", cp2=0x7fa187d0da30 "", count=8191, used=0x0, context=0x0, exten=0x0, pri=0) at pbx_variables.c:737
offset2 = 1870341160
isfunction = 1414419791
cp4 = 0x0
workspace = '000' <repeats 4095 times>
offset = 1816165733
pos = 0
nextvar = 0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}"
vars = 0x7fa187d0d9a2 "EXISTS(${CHANNELS(${fullpeername})})}"
brackets = 0
needsub = 2
nextexp = 0x0
nextthing = 0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}"
vare = 0x7fa187d0d9ca ""
length = 0
len = 39
whereweare = 0x7fa187d0d9ca ""
orig_cp2 = 0x7fa187d0da30 ""
ltmp = "EXISTS(000EN(device-oe,ATAxGrandstream1,1)000003300260241177000000d000000000000000000000254222253260241177000000320340336^EV000000340J207220241177000000 312Ї241177000000HA276^EV000000002000000000000000000000000247340pts032070360u342^EV000000300316Ї241177000000260316Ї241177000000B000000000000000000000`320Ї241177000000L323342^EV000000`003300260241177000000022201251260241177000000360206300260241177000000l5312^000000000000254 ", '000' <repeats 26 times>...
var = "EXISTS(${CHANNELS(${fullpeername})})000/,2)},1)", '000' <repeats 2872 times>...
__FUNCTION__ = "pbx_substitute_variables_helper_full_location"
__PRETTY_FUNCTION__ = "pbx_substitute_variables_helper_full_location"
#17 0x000056455ece230c in pbx_substitute_variables_helper_full (c=0x7fa1a914e1e0, headp=0x7fa1a914e9c0, cp1=0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}", cp2=0x7fa187d0da30 "", count=8191, used=0x0) at pbx_variables.c:629
#18 0x000056455ece2cdf in pbx_substitute_variables_helper (c=0x7fa1a914e1e0, cp1=0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}", cp2=0x7fa187d0da30 "", count=8191) at pbx_variables.c:855
#19 0x000056455ecc1abe in pbx_extension_helper (c=0x7fa1a914e1e0, con=0x0, context=0x7fa1a914eba0 "callwaiting", exten=0x7fa1a914ebf0 "SIP/ATAxGrandstream1", priority=7, label=0x0, callerid=0x7fa1a91b0ee0 "2127", action=E_SPAWN, found=0x7fa187d10ccc, combined_find_spawn=1) at pbx.c:2936
e = 0x7fa1a5839dc0
app = 0x56456031fa30
substitute = 0x7fa187d0d9a0 "${EXISTS(${CHANNELS(${fullpeername})})}"
q = {incstack = {0x0 <repeats 512 times>}, stacklen = 0, status = 5, swo = 0x0, data = 0x0, foundcontext = 0x7fa1a914eba0 "callwaiting"}
passdata = "000?Hangup(7)000,10000/ATAxGrandstream1000tent,evan,1000,*,*,evan000ngs000s000zed,CONFBRIDGE(user,marked)=yes,CONFBRIDGE(user,timeout)=86400,CONFBRIDGE(user,dtmf_passthrough)=no000070066063,DB(astrex/tn/4002347863/lastcall/0"...
matching_action = 0
__FUNCTION__ = "pbx_extension_helper"
#20 0x000056455ecc5e72 in ast_spawn_extension (c=0x7fa1a914e1e0, context=0x7fa1a914eba0 "callwaiting", exten=0x7fa1a914ebf0 "SIP/ATAxGrandstream1", priority=7, callerid=0x7fa1a91b0ee0 "2127", found=0x7fa187d10ccc, combined_find_spawn=1) at pbx.c:4206
#21 0x000056455ecc6b8f in __ast_pbx_run (c=0x7fa1a914e1e0, args=0x0) at pbx.c:4380
digit = 0
invalid = 0
timeout = 0
dst_exten = "000340336^EV000000340002V250241177000000320fч241177000000235 at 276^EV000000347H340^EV000000b312337^EV000000361203337^EV000000000000000000000000000000;n000000377377377377 003V250241177000000 at fч241177000000340002V250241177000000212024343^EV000000340.343^EV000000212024343^261016000000244361342^EV000000D004000000257016000000244361342^000000000000220fч241177000000:4276^EV000000220fч241177000000212024343^EV000000000000000000261016000000340.343^EV000000 000000000000000000000 003V250"...
pos = 0
found = 1
res = 0
autoloopflag = 0
error = 0
pbx = 0x7fa18979d2c0
callid = 0
__FUNCTION__ = "__ast_pbx_run"
__PRETTY_FUNCTION__ = "__ast_pbx_run"
#22 0x000056455ecc8408 in pbx_thread (data=0x7fa1a914e1e0) at pbx.c:4704
c = 0x7fa1a914e1e0
#23 0x000056455ed69749 in dummy_start (data=0x7fa1a8e6dbe0) at utils.c:1572
__cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {0, 3499354240092836261, 140331732578638, 140331732578639, 140331745089280, 140332152169888, 3499354239983784357, 7158900602537611685}, __mask_was_saved = 0}}, __pad = {0x7fa187d10ed0, 0x0, 0x381a737470e0a700, 0x0}}
__cancel_routine = 0x56455ebd8621 <ast_unregister_thread>
__cancel_arg = 0x7fa187d11700
__not_first_call = 0
ret = 0x7fa1a014a5a0
a = {start_routine = 0x56455ecc83e3 <pbx_thread>, data = 0x7fa1a914e1e0, name = 0x7fa1a8135db0 "pbx_thread", ' ' <repeats 11 times>, "started at [ 4730] pbx.c ast_pbx_start()"}
__PRETTY_FUNCTION__ = "dummy_start"
#24 0x00007fa1b10adfa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
ret = <optimized out>
pd = <optimized out>
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140331745089280, -3471365440882765403, 140331732578638, 140331732578639, 140331745089280, 140332152169888, 3499354240078156197, 3499395401382859173}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#25 0x00007fa1b0b414cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
> func_channels: Invalid memory management in CHANNELS can cause a crash
> ----------------------------------------------------------------------
>
> Key: ASTERISK-29934
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29934
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Functions/func_channel
> Affects Versions: 18.9.0
> Environment: Debian 10
> Reporter: N A
> Attachments: backtrace.txt
>
>
> Reading the CHANNELS function can cause Asterisk to crash.
> However, I can't replicate this again on the same system so it appears to only happen occasionally.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list