[asterisk-users] Asterisk crash - segmentation fault

Wed Mar 24 03:16:07 CDT 2010

--- On Tue, 3/23/10, Tilghman Lesher <tilghman at mail.jeffandtilghman.com> wrote:

> > --- On Tue, 3/23/10, Vieri <rentorbuy at yahoo.com>
> wrote:
> > > My Asterisk 1.2.40 process crashes
> > > regularly in the is_zero_or_null function at:
> > >
> > > return (*vp->u.s == 0 || (to_integer (vp)
> &&
> > > vp->u.i == 0));
> > >
> > > My gdb trace is at:
> > > http://pastebin.com/raw.php?i=hmhzZxye
> > >
> > > Other examples here:
> > > http://lists.digium.com/pipermail/asterisk-users/2010-March/245927.html
> > >
> > > Can anyone please help?
> >
> > And my Asterisk log shows the following right before
> the crash:
> >
> > Mar 23 12:32:37 VERBOSE[9054] logger.c: 
>    -- Executing
> > ExecIf("SIP/4070-09464648",
> "0|Set|REALCALLERIDNUM=4070") in new stac k
> > Mar 23 12:32:37 DEBUG[9054] app_macro.c: Executed
> application: ExecIf
> > Mar 23 12:32:37 DEBUG[9054] pbx.c: Expression result
> is '0'
> > Mar 23 12:32:37 DEBUG[9054] pbx.c: Function result is
> '4070'
> > Mar 23 12:32:37 DEBUG[9054] pbx.c: Expression result
> is '0'
> > Mar 23 12:32:37 DEBUG[9054] pbx.c: Expression result
> is '1'
> > Mar 23 12:32:37 DEBUG[9054] pbx.c: Expression result
> is '0'
> > Mar 23 12:32:37 WARNING[9054] ast_expr2.y: Conversion
> of 0 to integer
> > under/overflowed!
> >
> > What does this mean?
> 
> It's quite clearly a bug, but given that 1.2 is in security
> maintenance mode,
> it's not a bug that will ever be fixed in an official
> release of Asterisk.
> Your best bet is to bite the bullet and upgrade to 1.4.

Understood. However, 1.4 also has the same code for that function.
There's something I'd like to know about this logic:

	errno = 0;
	i  = strtoll(vp->u.s, (char**)NULL, 10);
	if (errno != 0) {
		ast_log(LOG_WARNING,"Conversion of %s to integer under/overflowed!\n", vp->u.s);
		free(vp->u.s);
		vp->u.s = 0;
		return(0);
	}

Since my warning message is "Conversion of 0 to integer under/overflowed!" then that means the string was set to "0" before the conversion. 
0 is within the range LLONG_MIN - LLONG_MAX.
So what I don't understand is why strtoll is "failing" if vp->u.s is actually 0.

Wouldn't that fail in 1.4 too?