[asterisk-dev] crash chan_misdn 0.3 [asterisk 1.2 svn]

[Christian]

hi Martin,

can you send additionally a trace, so i can see how you produce this 
segfault.

cheers,

christian


Martin Vít wrote:
> Hello guyes. Hhope, that this is right place to discuss this.
>
> I'm expiriencing crash in isdn_lib.c which dereferences stack pointer 
> which is null (get_stack_by_bc(bc) return NULL pointer, see --- code 
> --- below..)
>
> Here is full backtrace.
>
> #0  0xb7873e3a in misdn_lib_tx2misdn_frm (bc=0x818389c, 
> data=0x9681e68, len=320) at isdn_lib.c:4016
>        stack = (struct misdn_stack *) 0x0
>        buf = 
> "ÓÓÓÓ\200\002\022\000\000\000\000\000@\001\000\000űë\n\232â˛\222Ž.în\216\016Nžţ~\236\036\236ţN\216Ž\202:k[ó/\017ż?˙˙?żĎ\217/Ż\223ł\203Ł\233űKkŤę\núZbBr\022ŇŇŇ\222ňB\202\"\032:ĘęŤk\vKKKKKKKKťË\213ëŞjJ:::Jjë;[C\223ÓÓó\003Łűë\núÚ\"âZz:ĘjŤ\213K;{Ű[\033{űËë*\212Jú\232\032ÚÚÚ\232\032Ú\232z\232\232:J\212ę+K\233[#ă#Ű{ť\213+*j\212\nĘĘĘĘĘĘ\n*ë\213Ëť;ťK\v\213ëŤë\213"... 
>
>        frm = (iframe_t *) 0xb4935990
>        r = 536870912
> #1  0xb786153b in misdn_write (ast=0x8851c20, frame=0x9681df8) at 
> chan_misdn.c:2313
>        ch = (struct chan_list *) 0x93fe588
>        __PRETTY_FUNCTION__ = "misdn_write"
> #2  0x0806520b in ast_write (chan=0x8851c20, fr=0x9510388) at 
> channel.c:2340
>        res = -1
>        f = (struct ast_frame *) 0x9681df8
>        __PRETTY_FUNCTION__ = "ast_write"
> #3  0x08068e02 in ast_channel_bridge (c0=0x86a0e08, c1=0x8851c20, 
> config=0xb4937740, fo=0xb4936bf0, rc=0xb4936bf4) at channel.c:3427
>        now = The value of variable 'now' is distributed across several
> locations, and GDB cannot access its value.
>
>
> ---- code ----
>
> int misdn_lib_tx2misdn_frm(struct misdn_bchannel *bc, void *data, int 
> len)
> {
>        struct misdn_stack *stack=get_stack_by_bc(bc);
>
>        switch (bc->bc_state) {
>                case BCHAN_ACTIVATED:
>                case BCHAN_BRIDGED:
>                        break;
>                default:
>                        cb_log(3, bc->port, "BC not yet activated 
> (state:%s)\n",bc_state2str(bc->bc_state));
>                        return -1;
>        }
>
>        unsigned char buf[4096 + mISDN_HEADER_LEN];
>        iframe_t *frm= (iframe_t*)buf;
>        int  r;
>
>        frm->prim = DL_DATA|REQUEST;
>        frm->dinfo = 0;
>        frm->addr = bc->addr | FLG_MSG_DOWN ;
>
>        frm->len = len;
>        memcpy(&buf[mISDN_HEADER_LEN], data,len);
>
>        if ( misdn_cap_is_speech(bc->capability) )
>                flip_buf_bits( &buf[mISDN_HEADER_LEN], len);
>        else
>                cb_log(6, stack->port, "Writing %d data bytes\n",len);
>
>        cb_log(9, stack->port, "Writing %d bytes 2 mISDN\n",len);
>        r=mISDN_write(stack->midev, buf, frm->len + mISDN_HEADER_LEN, 
> TIMEOUT_INFINIT);
>        return 0;
> }
> --------------------
>