[asterisk-users] asterisk 13.16. - sigseg during negotiation
Michael Maier
m1278468 at mailbox.org
Sun Jun 18 04:00:38 CDT 2017
Hello!
unchanged asterisk crashes during udptl / t.38 negotiation with telekom
- they do not support t.38 / udptl.
In detail:
fax client -> asterisk -> telekom -> easybell -> asterisk -> fax server
Fax server sends t.38 reinvite via asterisk to easybell.
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): - 2447581897 4 IN IP4 46.17.15.23
Session Name (s): Asterisk
Connection Information (c): IN IP4 46.17.15.23
Time Description, active time (t): 0 0
Media Description, name and address (m): image 4573 udptl t38
Media Attribute (a): T38FaxVersion:0
Media Attribute (a): T38MaxBitRate:14400
Media Attribute (a): T38FaxRateManagement:transferredTCF
Media Attribute (a): T38FaxMaxDatagram:397
Media Attribute (a): T38FaxUdpEC:t38UDPRedundancy
This reinvite is received by asterisk via telekom:
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): - 1811299599 2925027276 IN IP4 0.0.0.0
Session Name (s): -
Time Description, active time (t): 0 0
Media Description, name and address (m): image 0 udptl t38
Media Attribute (a): sendrecv
Media Attribute (a): T38FaxVersion:0
Media Attribute (a): T38MaxBitRate:14400
Media Attribute (a): T38FaxRateManagement:transferredTCF
Media Attribute (a): T38FaxMaxDatagram:397
Media Attribute (a): T38FaxUdpEC:t38UDPRedundancy
And asterisk gives it to the fax client:
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): - 1497774025 5 IN IP4 192.168.12.13
Session Name (s): Asterisk
Connection Information (c): IN IP4 192.168.12.13
Time Description, active time (t): 0 0
Media Description, name and address (m): image 4284 udptl t38
Media Attribute (a): T38FaxVersion:0
Media Attribute (a): T38MaxBitRate:14400
Media Attribute (a): T38FaxRateManagement:transferredTCF
Media Attribute (a): T38FaxMaxDatagram:393
Media Attribute (a): T38FaxUdpEC:t38UDPRedundancy
Completely ignoring, that telekom doesn't support it (port and ip
addresses are set to 0).
On completing the negotiation after 200 ok SDP and ACK from fax client,
asterisk crashes. Stack trace is attached!
Regards,
Michael
-------------- next part --------------
Program terminated with signal 11, Segmentation fault.
#0 ast_copy_pj_str (dest=0x7fb9f5901100 "x\277\001<h\025\220", <incomplete sequence \365>, src=0x20, size=1025) at res_pjsip.c:4147
#1 0x00007fb9f0b02334 in negotiate_incoming_sdp_stream (session=0x7fba3c031200, session_media=<value optimized out>, sdp=<value optimized out>, stream=<value optimized out>)
at res_pjsip_t38.c:703
#2 0x00007fba0499ccf6 in handle_incoming_sdp (session=0x7fba3c031200, sdp=0x7fba3c0adfb8) at res_pjsip_session.c:243
#3 0x00007fba0499e650 in session_inv_on_rx_offer (inv=0x7fba3c0504e8, offer=0x7fba3c0adfb8) at res_pjsip_session.c:3009
#4 0x00007fba44b1b501 in inv_check_sdp_in_incoming_msg (inv=0x7fba3c0504e8, tsx=0x7fba08006878, rdata=0x7fba3c0b00a8) at ../src/pjsip-ua/sip_inv.c:2110
#5 0x00007fba44b20026 in inv_on_state_confirmed (inv=0x7fba3c0504e8, e=0x7fb9f5901880) at ../src/pjsip-ua/sip_inv.c:4869
#6 0x00007fba44b18869 in mod_inv_on_tsx_state (tsx=0x7fba08006878, e=0x7fb9f5901880) at ../src/pjsip-ua/sip_inv.c:717
#7 0x00007fba44b64850 in pjsip_dlg_on_tsx_state (dlg=0x7fba3c028c58, tsx=0x7fba08006878, e=0x7fb9f5901880) at ../src/pjsip/sip_dialog.c:2064
#8 0x00007fba44b650bf in mod_ua_on_tsx_state (tsx=0x7fba08006878, e=0x7fb9f5901880) at ../src/pjsip/sip_ua_layer.c:178
#9 0x00007fba44b5d0e4 in tsx_set_state (tsx=0x7fba08006878, state=PJSIP_TSX_STATE_TRYING, event_src_type=PJSIP_EVENT_RX_MSG, event_src=0x7fba3c0b00a8, flag=0)
at ../src/pjsip/sip_transaction.c:1267
#10 0x00007fba44b5f1f7 in tsx_on_state_null (tsx=0x7fba08006878, event=0x7fb9f5901950) at ../src/pjsip/sip_transaction.c:2410
#11 0x00007fba44b5e07c in pjsip_tsx_recv_msg (tsx=0x7fba08006878, rdata=0x7fba3c0b00a8) at ../src/pjsip/sip_transaction.c:1827
#12 0x00007fba44b63f62 in pjsip_dlg_on_rx_request (dlg=0x7fba3c028c58, rdata=0x7fba3c0b00a8) at ../src/pjsip/sip_dialog.c:1711
#13 0x00007fba44b65bde in mod_ua_on_rx_request (rdata=0x7fba3c0b00a8) at ../src/pjsip/sip_ua_layer.c:704
#14 0x00007fba44b42b1e in pjsip_endpt_process_rx_data (endpt=0x36cc2a8, rdata=0x7fba3c0b00a8, p=0x7fba05c8d0a0, p_handled=0x7fb9f5901b7c) at ../src/pjsip/sip_endpoint.c:887
#15 0x00007fba05a72c59 in distribute (data=0x7fba3c0b00a8) at res_pjsip/pjsip_distributor.c:770
#16 0x00000000005ed6d1 in ast_taskprocessor_execute (tps=0x7fba3c0400a0) at taskprocessor.c:965
#17 0x00000000005f7056 in execute_tasks (data=0x7fba3c0400a0) at threadpool.c:1322
#18 0x00000000005ed6d1 in ast_taskprocessor_execute (tps=0x36bfab0) at taskprocessor.c:965
#19 0x00000000005f53a1 in threadpool_execute (pool=0x36c0040) at threadpool.c:351
#20 0x00000000005f69b4 in worker_active (worker=0x7fba38001fb0) at threadpool.c:1105
#21 0x00000000005f6760 in worker_start (arg=0x7fba38001fb0) at threadpool.c:1024
#22 0x000000000060292c in dummy_start (data=0x7fba38000a50) at utils.c:1238
#23 0x00007fba43005aa1 in start_thread (arg=0x7fb9f5902700) at pthread_create.c:301
#24 0x00007fba4238dbcd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(gdb) frame 0
#0 ast_copy_pj_str (dest=0x7fb9f5901100 "x\277\001<h\025\220", <incomplete sequence \365>, src=0x20, size=1025) at res_pjsip.c:4147
4147 size_t chars_to_copy = MIN(size - 1, pj_strlen(src));
(gdb) list
4142 return std.fail;
4143 }
4144
4145 void ast_copy_pj_str(char *dest, const pj_str_t *src, size_t size)
4146 {
4147 size_t chars_to_copy = MIN(size - 1, pj_strlen(src));
4148 memcpy(dest, pj_strbuf(src), chars_to_copy);
4149 dest[chars_to_copy] = '\0';
4150 }
4151
(gdb) frame 1
#1 0x00007fb9f0b02334 in negotiate_incoming_sdp_stream (session=0x7fba3c031200, session_media=<value optimized out>, sdp=<value optimized out>, stream=<value optimized out>)
at res_pjsip_t38.c:703
703 ast_copy_pj_str(host, stream->conn ? &stream->conn->addr : &sdp->conn->addr, sizeof(host));
(gdb) lsit
Undefined command: "lsit". Try "help".
(gdb) list
698 ast_debug(3, "Declining; T.38 state is rejected or declined\n");
699 t38_change_state(session, session_media, state, T38_DISABLED);
700 return -1;
701 }
702
703 ast_copy_pj_str(host, stream->conn ? &stream->conn->addr : &sdp->conn->addr, sizeof(host));
704
705 /* Ensure that the address provided is valid */
706 if (ast_sockaddr_resolve(&addrs, host, PARSE_PORT_FORBID, AST_AF_INET) <= 0) {
707 /* The provided host was actually invalid so we error out this negotiation */
(gdb) frame 2
#2 0x00007fba0499ccf6 in handle_incoming_sdp (session=0x7fba3c031200, sdp=0x7fba3c0adfb8) at res_pjsip_session.c:243
243 res = handler->negotiate_incoming_sdp_stream(session, session_media, sdp,
(gdb) list
238 if (session_media->handler) {
239 handler = session_media->handler;
240 ast_debug(1, "Negotiating incoming SDP media stream '%s' using %s SDP handler\n",
241 session_media->stream_type,
242 session_media->handler->id);
243 res = handler->negotiate_incoming_sdp_stream(session, session_media, sdp,
244 sdp->media[i]);
245 if (res < 0) {
246 /* Catastrophic failure. Abort! */
247 return -1;
(gdb) frame 3
#3 0x00007fba0499e650 in session_inv_on_rx_offer (inv=0x7fba3c0504e8, offer=0x7fba3c0adfb8) at res_pjsip_session.c:3009
3009 if (handle_incoming_sdp(session, offer)) {
(gdb) list
3004 static void session_inv_on_rx_offer(pjsip_inv_session *inv, const pjmedia_sdp_session *offer)
3005 {
3006 struct ast_sip_session *session = inv->mod_data[session_module.id];
3007 pjmedia_sdp_session *answer;
3008
3009 if (handle_incoming_sdp(session, offer)) {
3010 return;
3011 }
3012
3013 if ((answer = create_local_sdp(inv, session, offer))) {
More information about the asterisk-users
mailing list