[asterisk-bugs] [JIRA] (ASTERISK-30492) app_queue periodic-announce-startdelay patch derefferences null qe.parent pointer.

Wed Apr 12 03:55:03 CDT 2023

    [ https://issues.asterisk.org/jira/browse/ASTERISK-30492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=261762#comment-261762 ] 

Jaco Kroon commented on ASTERISK-30492:
---------------------------------------

Yea, please revert for now, I'll have to rework the original patch, and that includes figuring out the new code submission process too.  The posted is correct, this was not tested properly.  Which is my bad.

Honestly it just looks like the code at lines 8529 through 8532 needs to move down to after the ast_assert currently at line 8540 (ie, after the queue_join).

I'll do that now quick, but won't be in a position to perform a proper test until May in all likelyhood.

> app_queue periodic-announce-startdelay patch derefferences null qe.parent pointer.
> ----------------------------------------------------------------------------------
>
>                 Key: ASTERISK-30492
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-30492
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Applications/app_queue
>    Affects Versions: GIT
>         Environment: RHEL 8 (for clang-tidy), Ubuntu 22.04 (for manual test), but really this is universal anyway.
>            Reporter: Jonathan Rose
>            Severity: Major
>
> https://issues.asterisk.org/jira/browse/ASTERISK-30437
> Clang Tidy reported this patch with 'warning: Dereference of null pointer' -- that prompted me to look into the change further and that left me wondering whether or not this patch was actually tested before it was committed.
> Per my comment, https://github.com/asterisk/asterisk/blob/edd7f1b0605e2840b2e21bf45afa67950dd3f9fe/apps/app_queue.c#L8529 -- at this point, qe.parent will unconditionally be null since it is qe is initialized via:
> {code}
> struct queue_ent qe = { 0 };
> {code}
> From here you have some individual members of qe being set, but qe.parent isn't set at any point until after we enter the queue_join function. Presumably at this point qe.parent is going to be a null pointer, and we can't use that to get the periodicannouncestartdelay without causing a segfault.
> My testing confirms that running the Queue dialplan application now pretty much unconditionally causes a segfault.
> As far as I can tell, this is the *only* place that periodicannouncestartdelay is consumed, hence my comment about this seeming to be code that was committed without any kind of testing. There's no way it ever could have worked.
> {code}
> queue_exec (chan=0x555555f57c00, data=0x7fffa85999b0 "testqueue") at app_queue.c:8530
> 8530            if (qe.parent->periodicannouncestartdelay >= 0) {
> (gdb) bt
> #0  queue_exec (chan=0x555555f57c00, data=0x7fffa85999b0 "testqueue") at app_queue.c:8530
> #1  0x00005555556e25e3 in pbx_exec (c=0x555555f57c00, app=0x555555f07990, data=0x7fffa85999b0 "testqueue") at pbx_app.c:492
> {code}
> I don't understand why this wasn't already caught by continuous integration since I would presume that this will cause the asterisk testsuite to fail on any of the queue tests. My insight into how CI is ran in relation to pull requests isn't quite what it used to be admittedly.

--
This message was sent by Atlassian JIRA
(v6.2#6252)