| Summary: | ASTERISK-03376: Asterisk crashes on divison by zero in calc_timestamp (chan_iax2) | ||
| Reporter: | guills (guills) | Labels: | |
| Date Opened: | 2005-01-28 15:21:23.000-0600 | Date Closed: | 2005-01-28 16:39:21.000-0600 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Core/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | from calc_timestamp: int diff = ms % (f->samples / 8); will cause a division by zero if f->samples is zero. This is fully reproducible here by using Firefly to call himself over IAX2, which causes a yet unknown problem with my MOH setup :) GDB output in additional information. ****** ADDITIONAL INFORMATION ****** > [Switching to Thread 245775 (LWP 23251)] > 0x41154918 in calc_timestamp (p=0x816b710, ts=0, f=0x424eef24) at > chan_iax2.c:2896 > 2896 int diff = ms % (f->samples / > 8); > > (gdb) display f->samples > 1: f->samples = 0 > > (gdb) backtrace > #0 0x41154918 in calc_timestamp (p=0x816b710, ts=0, f=0x424eef24) at > chan_iax2.c:2896 > #1 0x41153119 in iax2_send (pvt=0x816b710, f=0x424eef24, ts=32, > seqno=-1, now=0, transfer=0, final=32) at chan_iax2.c:3091 > #2 0x41166e17 in iax2_write (c=0x20, f=0x424eef24) at > chan_iax2.c:3551 > #3 0x0805cd41 in ast_write (chan=0x816bd90, fr=0x424eef24) at > channel.c:1634 > #4 0x080610e3 in ast_activate_generator (chan=0x816bd90, > gen=0x407ca918, > params=0x20) at channel.c:1554 > ASTERISK-1 0x407c725e in ast_moh_start (chan=0x0, class=0x20 <Address 0x20 > out of > bounds>) at res_musiconhold.c:598 > ASTERISK-2 0x41804e3d in dial_exec (chan=0x816bd90, data=0x816bd90) at > app_dial.c:882 > ASTERISK-3 0x08074a1f in pbx_exec (c=0x816bd90, app=0x8157770, > data=0x424f1b24, > newstack=1) at pbx.c:469 | ||
| Comments: | By: Paul Cadach (pcadach) 2005-01-28 15:34:22.000-0600 Backtrace shows thread/application stack is overwritten or application compiled without function frames: 0x407c725e in ast_moh_start (chan=0x0, class=0x20 <Address 0x20 out of bounds>) at res_musiconhold.c:598 By: Clod Patry (junky) 2005-01-28 15:57:51.000-0600 from calc_timestamp: int diff = ms % (f->samples / 8); will cause a division by zero if f->samples is zero. if f->samples = 0, isnt gonna be0/8 which means 0? I think the problem is somewhere else. By: Mark Spencer (markster) 2005-01-28 16:03:10.000-0600 These line numbers clearly do not agree with CVS HEAD. By: Mark Spencer (markster) 2005-01-28 16:04:02.000-0600 and how is a division by 8 a division by zero anyway? (edited: n/m it's obviously the modulo by 0 that is the issue) edited on: 01-28-05 16:04 By: guills (guills) 2005-01-28 16:04:29.000-0600 Huh. if f->samples = 0, isnt gonna be0/8 which means 0? yeah. But then ms % 0 will divide by 0. By: Mark Spencer (markster) 2005-01-28 16:07:01.000-0600 CVS head also shows that this is embedded within a check which should prevent that from occuring (I've just modified head to do a >= rather than a / for performance reasons, but that's basically irrelevant). By: guills (guills) 2005-01-28 16:15:40.000-0600 You're right, I just synced and checked, it's fixed in HEAD now. By: Tilghman Lesher (tilghman) 2005-01-28 16:39:20.000-0600 Closed on request by reporter. | ||