[asterisk-dev] Asterisk 1.4 stable segfaulting inside chan_iax2

[Ben Smithurst]

Hi,

We are experiencing a problem with our IAX server crashing with signal
11 within the IAX code, quite frequently.

Quick bit of server info: latest asterisk 1.4 stable code from about
Wednesday last week, ~400 IAX users in config file, average of perhaps
30 concurrency calls during the working day, Dual Xeon 3GHz, 2GB RAM,
Centos 4.4, etc.

The crashes are all caused, as far as I can tell, by dereferencing
iaxs[something] when that element is null.

The attached patch has reduced the crashes slightly but I do think
it is just a kludge rather than a fix for the real problem.  (The
ast_strlen_zero change was just to help debugging.)  I should also point
out that the crashes did happen on completely unmodified 1.4 branch
code.

I'm no expert on the IAX or general asterisk code, but it appears that
the iaxs array is being accessed after the relevant element has been
cleared by another thread?

For example, iax2_indicate does not get any locks at all... should
it?  The other crashes in socket_process do appear to correspond with
accessing iaxs[x] just after the lock was released.

Any insight would be appreciated.

cheers
-ben

-- 
Ben Smithurst       ben.smithurst at gradwell.net                  Gradwell
Senior Developer                                http://www.gradwell.com/

                         gradwell dot com Ltd. Registered in UK: 3673235