[asterisk-dev] Asterisk segfault bug

Richard Mudgett rmudgett at digium.com
Thu Sep 29 20:08:28 CDT 2011 

> Hi,
> 
> I've discovered that Asterisk consistently crashes when our analog
> home
> pbx is made to ring all lines (including the one Asterisk's dahdi card
> is connected to) with a distinctive alarm ring (five very fast
> consecutive rings with a short silence). I've produced a core dump and
> found the issue to be very simple. I've found this issue in
> 1.6.2.5-0ubuntu1.4, but judging by the source code, the svn trunc
> still
> has the same problem.
> 
> For the ubuntu version, the gdb trace is as follows:
> 
> Program terminated with signal 11, Segmentation fault.
> #0 0x19051504 in ss_thread (data=0x20e2dfb0) at chan_dahdi.c:8616
> 8616 chan_dahdi.c: No such file or directory.
> in chan_dahdi.c
> (gdb) bt
> #0 0x19051504 in ss_thread (data=0x20e2dfb0) at chan_dahdi.c:8616
> #1 0x006eeb94 in dummy_start (data=0x20bb1880) at utils.c:967
> #2 0x0014a96e in start_thread () from
> /lib/tls/i686/cmov/libpthread.so.0
> #3 0x00e27a4e in clone () from /lib/tls/i686/cmov/libc.so.6
> 
> Starting at line 8615 in the sources I found the following code
> fragment:
> 
> f = ast_read(chan);
> if (f->frametype == AST_FRAME_DTMF) {
> dtmfbuf[k++] = f->subclass;
> ast_log(LOG_DEBUG, "CID got digit '%c'\n", f->subclass);
> res = 2000;
> }
> ast_frfree(f);
> 
> This is pretty much my first glance at Asterisk code, and I must say
> it
> is not very easy to plow through. However, from the comment in the
> channels.h header I deduced that ast_read() may return NULL upon
> error.
> Clearly, at various occasions where this function is used, the result
> is
> nicely checked for its NULL status first. In this particular occasion,
> however, it is not. The evaluation of f->frametype will therefore
> segfault in this case.
> 
> In SVN trunk
> (http://svnview.digium.com/svn/asterisk/trunk/channels/chan_dahdi.c?revision=338226&view=markup)
> this code fragment can be found at line 10700. I was planning to write
> a
> patch, but I have little clue what to do when !f.
> 
> I would greatly appreciate when you could kindly fix this (presumably)
> very simple flaw. I'll then backport the resulting patch to my ubuntu
> version for now until that catches up.
> 
> Regards,
> 
> Stephan.
> 
Please report bugs on the issue tracker at:
https://issues.asterisk.org/jira

Richard

More information about the asterisk-dev mailing list