[asterisk-dev] Asterisk segfault bug

Stephan Bosch stephan at rename-it.nl
Thu Sep 29 15:21:30 CDT 2011 

Hi,

I've discovered that Asterisk consistently crashes when our analog home 
pbx is made to ring all lines (including the one Asterisk's dahdi card 
is connected to) with a distinctive alarm ring (five very fast 
consecutive rings with a short silence). I've produced a core dump and 
found the issue to be very simple. I've found this issue in 
1.6.2.5-0ubuntu1.4, but judging by the source code, the svn trunc still 
has the same problem.

For the ubuntu version, the gdb trace is as follows:

Program terminated with signal 11, Segmentation fault.
#0  0x19051504 in ss_thread (data=0x20e2dfb0) at chan_dahdi.c:8616
8616    chan_dahdi.c: No such file or directory.
         in chan_dahdi.c
(gdb) bt
#0  0x19051504 in ss_thread (data=0x20e2dfb0) at chan_dahdi.c:8616
#1  0x006eeb94 in dummy_start (data=0x20bb1880) at utils.c:967
#2  0x0014a96e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#3  0x00e27a4e in clone () from /lib/tls/i686/cmov/libc.so.6

Starting at line 8615 in the sources I found the following code fragment:

  f = ast_read(chan);
  if (f->frametype == AST_FRAME_DTMF) {
     dtmfbuf[k++] = f->subclass;
     ast_log(LOG_DEBUG, "CID got digit '%c'\n", f->subclass);
     res = 2000;
  }
ast_frfree(f);

This is pretty much my first glance at Asterisk code, and I must say it 
is not very easy to plow through.  However, from the comment in the 
channels.h header I deduced that ast_read() may return NULL upon error. 
Clearly, at various occasions where this function is used, the result is 
nicely checked for its NULL status first. In this particular occasion, 
however, it is not. The evaluation of f->frametype will therefore 
segfault in this case.

In SVN trunk 
(http://svnview.digium.com/svn/asterisk/trunk/channels/chan_dahdi.c?revision=338226&view=markup) 
this code fragment can be found at line 10700. I was planning to write a 
patch, but I have little clue what to do when !f.

I would greatly appreciate when you could kindly fix this (presumably) 
very simple flaw. I'll then backport the resulting patch to my ubuntu 
version for now until that catches up.

Regards,

Stephan.

More information about the asterisk-dev mailing list