ASTERISK-01243: zapscan triggers segfault when monitoring a chan that has no type set

[Home]

Summary: ASTERISK-01243: zapscan triggers segfault when monitoring a chan that has no type set

Reporter: jjanzer (jjanzer) Labels:

Date Opened: 2004-03-18 21:17:44.000-0600 Date Closed: 2004-09-25 02:54:38

Priority: Critical Regression? No

Status: Closed/Complete Components: Core/General

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) fax.diff

Description: If you use zapscan and scan into a channel that doesn't have ->type set, it will crash on line 272 of zapscan.c, since it will call strcmp against 0x0.

Attached is a simple patch to prevent the crash.

This was triggered when AsyncGoto/Zap/26-1 was scanned:
AsyncGoto/Zap/26-1 (ldloop fax 1 ) Up (None) (None)
Zap/26-1 (ldloop s 1 ) Up

Not necessarily related to this bug, but zapscan.c should be audited for strcmp vs strncmp and strcpy vs strncpy, etc...

****** ADDITIONAL INFORMATION ******

(gdb) bt full
#0 0x4065a8b6 in conf_exec (chan=0x816fda8, data=0xbd7ff75c) at app_zapscan.c:272
__s1 = (unsigned char *) 0x0
__result = 136216400
chan = (struct ast_channel *) 0x816fda8
res = 0
u = (struct localuser *) 0x8169180
confno = 27
confstr = "Zap/27\0001\000õ\177&ASTERISK-186;4ª\002@x\000\000\000\030&ASTERISK-181;'\b\200,\020\b\\÷\177&ASTERISK-186;<õ\177&ASTERISK-186;\000I\a\b\030&ASTERISK-181;'\b\\÷\177&ASTERISK-186;O\000\000\000£7\005\b\000\000\000\000\200,\020\bØi\024\b\0268\005\bx4\f\b\000\000\000"
tmp = 0x81e7f50 "AsyncGoto/Zap/26-1"
tempchan = (struct ast_channel *) 0x81e7f50
lastchan = (struct ast_channel *) 0x81da4e8
f = (struct ast_frame *) 0x81e7f50
#1 0x08062480 in pbx_exec (c=0x816fda8, app=0x8102c80, data=0xbd7ff75c, newstack=1) at pbx.c:396
res = 0
stack = -1
execute = (int (*)()) 0x4065a7ac <conf_exec>
#2 0x08064553 in pbx_extension_helper (c=0x816fda8, context=0x816ff00 "corporate", exten=0x816fff4 "5801", priority=2, callerid=0x81f5920 "JJanzer <6003>",
action=1) at pbx.c:1174
callerid = 0x8102c80 "ZapScan"
action = -1115687076
e = (struct ast_exten *) 0x81469d8
app = (struct ast_app *) 0x8102c80
sw = (struct ast_switch *) 0x0
data = 0x0
newstack = 1
res = 136216400
status = 4
---Type <return> to continue, or q <return> to quit---
incstack = {0x0 <repeats 20 times>, 0x3 <Address 0x3 out of bounds>, 0x8071692 "\203Ä\020\205Àu\a\212\0043\210\0047GC\200<3", 0x80b42d0 "( )-.",
0x33 <Address 0x33 out of bounds>, 0x0, 0x0, 0xbd7ff91c "JJanzer", 0x827b5e8 "JJanzer <6003>", 0x0, 0x827b8a8 "1079660278.6616", 0x827b5e8 "JJanzer <6003>", 0x0,
0xbd7ff96c "ôÿ\026\b\002", 0x8073e63 "1À\215e\210[^_\211ì]Ã\220U\211å\203ìlWVS\213}\b &ASTERISK-181;J\v\b\203Äü\213·D\027", 0x827b8a8 "1079660278.6616",
0x817155c "1079660278.6616", 0x1f <Address 0x1f out of bounds>, 0x40155b61 "\201ÃÏÚ\v", 0x4002dd14 "\024ì", 0xbd7ffbe0 "àû\177&ASTERISK-186;", 0x0, 0x4002dd14 "\024ì",
0x402140a0 "", 0x827b5e8 "JJanzer <6003>", 0xbd7ff92c "", 0x40025d7a "ëÏ\215t&", 0xbd7ff91c "JJanzer", 0xbd7ff925 "6003",
0x6e614a4a <Address 0x6e614a4a out of bounds>, 0x72657a <Address 0x72657a out of bounds>, 0x30303600 <Address 0x30303600 out of bounds>,
0x33 <Address 0x33 out of bounds>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8074477 "\215eè[^\211ì]ÃU\211å\203ì\024S\213]\b\205Û\017\204\234", 0x827b868 "öNZ@\021\020", 0x0,
0x0, 0x0, 0x816ff00 "corporate", 0x816fff4 "5801"}
passdata = '\0' <repeats 255 times>
stacklen = 0
tmp = "\e[1;36;40mZapScan\e[0;37;40m\000;40m", '\0' <repeats 47 times>
tmp2 = "\e[1;35;40mSIP/6003-17ba\e[0;37;40m", '\0' <repeats 46 times>
tmp3 = "\e[1;35;40m\e[0;37;40m\00040m", '\0' <repeats 231 times>
#3 0x0806528d in ast_pbx_run (c=0x816fda8) at pbx.c:1658
digit = 0 '\0'
exten = '\0' <repeats 255 times>
pos = 0
waittime = -1115686228
res = 0
#4 0x0806b82e in pbx_thread (data=0x816fda8) at pbx.c:1883
data = (void *) 0x81e7f50
ASTERISK-1 0x40024e51 in pthread_start_thread () from /lib/libpthread.so.0
No symbol table info available.
ASTERISK-2 0x40024ecf in pthread_start_thread_event () from /lib/libpthread.so.0
No symbol table info available.
ASTERISK-3 0x401bb64a in clone () from /lib/libc.so.6
No symbol table info available.
(gdb)
(gdb) print tempchan
$1 = (struct ast_channel *) 0x81e7f50
(gdb) print tempchan->type
$2 = 0x0

Comments: By: James Golovich (jamesgolovich) 2004-03-18 22:27:25.000-0600

sounds like just what zoa was hitting but was unable to reproduce. I'll get this fixed up in cvs.

A lot of the contributed code needs to be audited for proper function usage. Patches are appreciated :)
By: James Golovich (jamesgolovich) 2004-03-18 22:52:55.000-0600

Fixed in CVS