[Home]

Summary:ASTERISK-02757: Cisco CID blocking cause crash
Reporter:Andrew Lindh (andrew)Labels:
Date Opened:2004-11-07 15:33:27.000-0600Date Closed:2004-11-09 00:30:14.000-0600
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Core/General
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) sip-debug.txt
Description:On a cisco 7960 SIP phone:
When I set "Caller ID Blocking" to YES on the phone and then make a call it crashes Asterisk:

asterisk*CLI> /usr/sbin/safe_asterisk: line 83: 13209 Killed                  
asterisk ${CLIARGS} ${ASTARGS} 1>&/dev/${TTY} </dev/${TTY}
Asterisk ended with exit status 137
Asterisk exited on signal 9.
Automatically restarting Asterisk.



****** ADDITIONAL INFORMATION ******


Cisco phone software tested is SIP version 7.3 and 7.2
Comments:By: Mark Spencer (markster) 2004-11-07 16:17:36.000-0600

Please provide a gdb backtrace in accordance with the bug guidelines which were highlighted in yellow when you went to place your bug report or find someone on IRC that can login to your machine and generate it for you, along with SIP debug again in accordance with the bug guidelines.
By: Andrew Lindh (andrew) 2004-11-07 17:55:57.000-0600

# 0  0x403a7b80 in check_user_full (p=0x4065ba58, req=0xbeffe7a4,
   cmd=0xbeffe9b8 "INVITE", uri=0xbeffe9bf "sip:301@204.213.176.174",
   reliable=1, sin=0xbeffe794, ignore=0, mailbox=0x0, mailboxlen=320)
   at utils.h:21
# 1  0x4039de7c in handle_request (p=0x4065ba58, req=0xbeffe7a4,
   sin=0xbeffe794, recount=0x140, nounlock=0xbeffe72c) at chan_sip.c:5456
# 2  0x40399ecf in sipsock_read (id=0x81153f8, fd=13, events=1, ignore=0x0)
   at chan_sip.c:7640
# 3  0x08052700 in ast_io_wait (ioc=0x81145f0, howlong=320) at io.c:267
# 4  0x4039476c in do_monitor (data=0x0) at chan_sip.c:7788
# 5  0x40025e51 in pthread_start_thread () from /lib/libpthread.so.0
# 6  0x401ed69a in clone () from /lib/libc.so.6

See attached sip-debug.txt file also.

edited on: 11-07-04 18:05

edited on: 11-07-04 18:05
By: Mark Spencer (markster) 2004-11-07 19:00:54.000-0600

Please update to latest CVS and run "make clean ; make valgrind" and then provide an updated backtrace.  Thanks.
By: Andrew Lindh (andrew) 2004-11-07 19:03:09.000-0600

Still crashes. 0 byte core file in /tmp after crash whith a make valgrind.

What options/output would you like when I run it from valgrind?

When I run it from valgrind it still dies and repeats forever:
Ouch ... error while writing audio data: : Broken pipe

edited on: 11-07-04 19:49
By: Brian West (bkw918) 2004-11-08 09:13:10.000-0600

well asterisk doesn't crash but you do get some intresting things.

ACK sip:4238080@65.38.28.146 SIP/2.0
Via: SIP/2.0/UDP 65.38.28.157:5060;branch=z9hG4bK6aeb6c68
From: "Anonymous" <sip:Anonymous@65.38.28.146>;tag=000dbcd92c3834d4091e28f4-666f50fc
To: <sip:4238080@65.38.28.146>;tag=as449d05ed
Call-ID: 000dbcd9-2c3800a4-27c16773-241c1043@65.38.28.157
Date: Mon, 08 Nov 2004 15:12:06 GMT
CSeq: 102 ACK
Content-Length: 0


INVITE sip:4238080@65.38.28.146 SIP/2.0
Via: SIP/2.0/UDP 65.38.28.157:5060;branch=z9hG4bK6aeb6c68
From: "Anonymous" <sip:Anonymous@65.38.28.146>;tag=000dbcd92c3834d4091e28f4-666f50fc
To: <sip:4238080@65.38.28.146>
Call-ID: 000dbcd9-2c3800a4-27c16773-241c1043@65.38.28.157
Date: Mon, 08 Nov 2004 15:12:06 GMT
CSeq: 102 INVITE
User-Agent: CSCO/7
Contact: <sip:10@65.38.28.157:5060>
Proxy-Authorization: Digest username="10",realm="bkw.org",uri="sip:65.38.28.146",response="f5e674c9e1dd07e4b14bef7ccffd7412",nonce="3dcc0b78",algorithm=md5
Expires: 180
Content-Type: application/sdp
Content-Length: 247


:P
By: Brian West (bkw918) 2004-11-08 09:15:24.000-0600

[Anonymous]
type=user
username=Anonymous
callerid=Unknown <0000000000>
context=default
deny=0.0.0.0/0
permit=65.38.28.144/28
By: Mark Spencer (markster) 2004-11-08 09:57:45.000-0600

You need not run it *from* valgrind, just run "make clean ; make valgrind" and run normally.  In that way I should be able to see the real location where the crash took place.
By: Andrew Lindh (andrew) 2004-11-08 11:35:44.000-0600

0 length core was caused deleted open files filling /tmp space....reboot fixed that...

# 0  0x403a613c in ast_strlen_zero (s=0x140 <Address 0x140 out of bounds>)
   at utils.h:22
No locals.
# 1  0x4039803c in check_user_full (p=0x81bac80, req=0xbeffe824,
   cmd=0xbeffea38 "INVITE", uri=0xbeffea3f "sip:301@204.213.176.174",
   reliable=1, sin=0xbeffe814, ignore=0, mailbox=0x0, mailboxlen=0)
   at chan_sip.c:5414
       user = (struct sip_user *) 0x0
       peer = (struct sip_peer *) 0x813c348
       of = 0xbeffd115 "Anonymous"
       from = "\"Anonymous\" <sip:Anonymous\000204.213.176.174\000;tag=003094c384f700087ddff7e6-508fa31a", '\0' <repeats 174 times>
       c = 0x0
       rpid = 0x403a6519 ""
       rpid_num = '\0' <repeats 49 times>
       iabuf = '\0' <repeats 15 times>
       res = 0
       t = 0xbeffea56 ""
       calleridname = "Anonymous", '\0' <repeats 40 times>
       debug = 0
# 2  0x40398354 in check_user (p=0x81bac80, req=0xbeffe824,
   cmd=0xbeffea38 "INVITE", uri=0xbeffea3f "sip:301@204.213.176.174",
   reliable=1, sin=0xbeffe814, ignore=0) at chan_sip.c:5456
No locals.
# 3  0x4039eb7c in handle_request (p=0x81bac80, req=0xbeffe824, sin=0xbeffe814,
   recount=0xbeffe800, nounlock=0xbeffe804) at chan_sip.c:7183
       resp = {rlPart1 = 0x0, rlPart2 = 0x0, len = 0, headers = 0, header = {
   0x0 <repeats 64 times>}, lines = 0, line = {0x0 <repeats 64 times>},
 data = '\0' <repeats 4095 times>}
       cmd = 0xbeffea38 "INVITE"
       cseq = 0xbeffeb98 " INVITE"
       from = 0x0
       e = 0xbeffea3f "sip:301@204.213.176.174"
       useragent = 0xbeffebad "CSCO/7"
       c = (struct ast_channel *) 0x0
       transfer_to = (struct ast_channel *) 0x0
       seqno = 102
       len = 3
       ignore = 0
       respid = 200
       res = 1
       gotdest = 0
       iabuf = '\0' <repeats 15 times>
       af = {frametype = 5, subclass = 0, datalen = 0, samples = 0,
 mallocd = 0, offset = 0, src = 0x0, data = 0x0, delivery = {tv_sec = 0,
   tv_usec = 0}, prev = 0x0, next = 0x0}
       debug = 0
# 4  0x403a09a3 in sipsock_read (id=0x810f488, fd=13, events=1, ignore=0x0)
   at chan_sip.c:7640
       req = {rlPart1 = 0xbeffea38 "INVITE",
 rlPart2 = 0xbeffea3f "sip:301@204.213.176.174", len = 907, headers = 13,
 header = {0xbeffea38 "INVITE",
   0xbeffea6b "Via: SIP/2.0/UDP 204.213.176.211:5060;branch=z9hG4bK574a1dfa",
   0xbeffeaa9 "From: \"Anonymous\" <sip:Anonymous@204.213.176.174>;tag=003094c384f700087ddff7e6-508fa31a",
   0xbeffeb02 "To: <sip:301@204.213.176.174;user=phone>",
   0xbeffeb2c "Call-ID: 003094c3-84f7000d-0d9bd8dc-72180935@204.213.176.211",
   0xbeffeb6a "Date: Mon, 08 Nov 2004 17:30:34 GMT",
   0xbeffeb8f "CSeq: 102 INVITE", 0xbeffeba1 "User-Agent: CSCO/7",
   0xbeffebb5 "Contact: <sip:311f@204.213.176.211:5060>",
   0xbeffebdf "Proxy-Authorization: Digest username=\"311f\",realm=\"asterisk\",uri=\"sip:204.213.176.174\",response=\"43de4a29cc62d73ebc321abca1d7dcec\",nonce=\"57fa31a6\",algorithm=md5", 0xbeffec82 "Expires: 180",
   0xbeffec90 "Content-Type: application/sdp",
   0xbeffecaf "Content-Length: 253", 0xbeffecc4 "", 0x0 <repeats 50 times>},
 lines = 11, line = {0xbeffecc6 "v=0",
   0xbeffeccb "o=Cisco-SIPUA 25447 10476 IN IP4 204.213.176.211",
   0xbeffecfd "s=SIP Call", 0xbeffed09 "c=IN IP4 204.213.176.211",
   0xbeffed23 "t=0 0", 0xbeffed2a "m=audio 30746 RTP/AVP 0 8 18 101",
   0xbeffed4c "a=rtpmap:0 PCMU/8000", 0xbeffed62 "a=rtpmap:8 PCMA/8000",
   0xbeffed78 "a=rtpmap:18 G729/8000",
   0xbeffed8f "a=rtpmap:101 telephone-event/8000",
   0xbeffedb2 "a=fmtp:101 0-15", 0xbeffedc3 "", 0x0 <repeats 52 times>},
 data = "INVITE\000sip:301@204.213.176.174\000user=phone\000SIP/2.0\000\000Via: SIP/2.0/UDP 204.213.176.211:5060;branch=z9hG4bK574a1dfa\000\000From: \"Anonymous\" <sip:Anonymous@204.213.176.174>;tag=003094c384f700087ddff7e6-508fa31a"...}
       sin = {sin_family = 2, sin_port = 50195, sin_addr = {
   s_addr = 3551581644}, sin_zero = "\000\000\000\000\000\000\000"}
       p = (struct sip_pvt *) 0x81bac80
       res = 907
       len = 16
       nounlock = 0
       recount = 0
       debug = 0
# 5  0x08052e09 in ast_io_wait (ioc=0x810e680, howlong=1000) at io.c:267
       res = 1
       x = 0
       origcnt = 1
# 6  0x403a10e6 in do_monitor (data=0x0) at chan_sip.c:7788
       res = 1000
       sip = (struct sip_pvt *) 0x0
       peer = (struct sip_peer *) 0x0
       t = 1099935030
       fastrestart = 0
       lastpeernum = -1
       curpeernum = 57
       reloading = 0
# 7  0x40025e51 in pthread_start_thread () from /lib/libpthread.so.0
No symbol table info available.
# 8  0x401ed69a in clone () from /lib/libc.so.6
No symbol table info available.
By: Andrew Lindh (andrew) 2004-11-08 12:30:01.000-0600

If a NULL pointer is sent to ast_strlen_zero() then it will segfault asterisk.
A non-NULL but still out of range pointer will also cause the same problem....

You could account for the NULL by using:

static inline int ast_strlen_zero(const char *s)
{
               if (s) return (*s == '\0');
               else return(-1);
}

but still does not account for a bad pointer....
By: Brian West (bkw918) 2004-11-08 16:21:07.000-0600

doesn't crash for me.. what gcc are you using?

bkw
By: Mark Spencer (markster) 2004-11-08 16:27:31.000-0600

ast_strlen_zero is exactly the way it's supposed to be and should NOT check for NULL.

This is still not CVS head, however, since those lines numbers do not jive with current CVS head.  You either need to update to latest head or you need to find me on IRC so I can login to your system and see what those line numbers map to.
By: Andrew Lindh (andrew) 2004-11-08 17:04:24.000-0600

CVS-HEAD-11/08/04-17:59:00

Linux asterisk 2.6.7-1-686-smp #1 SMP Thu Jul 8 06:08:37 EDT 2004 i686 GNU/Linux

gcc -v
Reading specs from /usr/lib/gcc-lib/i486-linux/3.3.4/specs
Configured with: ../src/configure -v --enable-languages=c,c++,java,f77,pascal,objc,ada,treelang --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-gxx-include-dir=/usr/include/c++/3.3 --enable-shared --with-system-zlib --enable-nls --without-included-gettext --enable-__cxa_atexit --enable-clocale=gnu --enable-debug --enable-java-gc=boehm --enable-java-awt=xlib --enable-objc-gc i486-linux
Thread model: posix
gcc version 3.3.4 (Debian 1:3.3.4-6sarge1)


# 0  0x403a634a in ast_strlen_zero (s=0x140 <Address 0x140 out of bounds>)
   at utils.h:22
# 1  0x403980ab in check_user_full (p=0x814f198, req=0xbeffe824,
   cmd=0xbeffea38 "INVITE", uri=0xbeffea3f "sip:301@204.213.176.174",
   reliable=1, sin=0xbeffe814, ignore=0, mailbox=0x0, mailboxlen=0)
   at chan_sip.c:5420
# 2  0x403983c3 in check_user (p=0x814f198, req=0xbeffe824,
   cmd=0xbeffea38 "INVITE", uri=0xbeffea3f "sip:301@204.213.176.174",
   reliable=1, sin=0xbeffe814, ignore=0) at chan_sip.c:5462
# 3  0x4039ed1c in handle_request (p=0x814f198, req=0xbeffe824, sin=0xbeffe814,
   recount=0xbeffe800, nounlock=0xbeffe804) at chan_sip.c:7205
# 4  0x403a0b43 in sipsock_read (id=0x814a120, fd=13, events=1, ignore=0x0)
   at chan_sip.c:7662
# 5  0x08052e09 in ast_io_wait (ioc=0x8110620, howlong=1000) at io.c:267
# 6  0x403a1286 in do_monitor (data=0x0) at chan_sip.c:7810
# 7  0x40025e51 in pthread_start_thread () from /lib/libpthread.so.0
# 8  0x401ed69a in clone () from /lib/libc.so.6
By: Mark Spencer (markster) 2004-11-08 21:36:39.000-0600

Nevermind...  Fixed in CVS
By: Russell Bryant (russell) 2004-11-09 00:30:14.000-0600

not an issue with 1.0 as far as i know