Summary:ASTERISK-08114: Asterisk segfault when trying to include dialplan file with a macro
Reporter:Julien Goodwin (julieng)Labels:
Date Opened:2006-11-11 00:30:41.000-0600Date Closed:2006-11-13 13:22:52.000-0600
Versions:Frequency of
Description:Asterisk segfault when trying to include dialplan file with a macro


#0  0x40312363 in strlen () from /lib/tls/libc.so.6
#1  0x0808911f in config_text_file_load (database=0xbfffc550 "??\021\b\006", table=0xbfffc450 "?\202\030\b\017", filename=0xbfffcdfa "dialplan/macros.conf", cfg=0x81986e0,
   withcomments=0) at config.c:99
#2  0x080879be in ast_config_internal_load (filename=0xbfffcdfa "dialplan/macros.conf", cfg=0x813c25c, withcomments=0) at config.c:1264
#3  0x08089cab in process_text_line (cfg=0x81986e0, cat=0xbfffcb5c, buf=0xbfffc6d0 "", lineno=22, configfile=0x40a2cea0 "extensions.conf", withcomments=0) at config.c:715
#4  0x080890ef in config_text_file_load (database=0xbffff040 "?N<@@e\001@)e0@?N<@/etc", table=0xbfffef40 "x????", filename=0x40a2cea0 "extensions.conf", cfg=0x81986e0,
   withcomments=0) at config.c:916
ASTERISK-1  0x080879be in ast_config_internal_load (filename=0x40a2cea0 "extensions.conf", cfg=0x813c25c, withcomments=0) at config.c:1264
ASTERISK-2  0x08088590 in ast_config_load (filename=0x0) at config.c:1281
ASTERISK-3  0x40a2b33d in pbx_load_config (config_file=0x0) at pbx_config.c:1341
ASTERISK-4  0x40a2ca71 in load_module () at pbx_config.c:1594
ASTERISK-5  0x0809fee6 in load_resource (resource_name=0x8170e28 "pbx_config.so", global_symbols_only=1084412832) at loader.c:631
ASTERISK-6 0x0809f090 in load_modules (preload_only=0) at loader.c:816
ASTERISK-7 0x08068b15 in main (argc=-1073743600, argv=0xbffffb14) at asterisk.c:2723
Comments:By: Julien Goodwin (julieng) 2006-11-11 00:37:53.000-0600

Crash is caused by a call to strlen somewhere in config_text_file_load.

Strlen is called a few times in that function:
* 861 - memmove(comment_p - 1, comment_p, strlen(comment_p) + 1);
* 884 - oldptr = process_buf + strlen(process_buf);
* 890 - memmove(oldptr, new_buf, strlen(new_buf) + 1);

It also appears it's a formatting error and otherwise unrelated to the file containing a macro

By: Julien Goodwin (julieng) 2006-11-11 01:18:51.000-0600

This line (in extensions.conf):
exten => test,1,noop>--------; Test

Causes this backtrace:
#0  0x40312363 in strlen () from /lib/tls/libc.so.6
#1  0x08089cdf in config_text_file_load (database=0xbffff040 "?N<@@e\001@)e0@`C7@?C<@", table=0xbfffef40 "x????", filename=0x40a2ff80 "extensions.conf", cfg=0x819a6c8,
   withcomments=0) at config.c:99
#2  0x0808851e in ast_config_internal_load (filename=0x40a2ff80 "extensions.conf", cfg=0x813e0fc, withcomments=0) at config.c:1264
#3  0x08089135 in ast_config_load (filename=0x0) at config.c:1281
#4  0x40a2e3e3 in pbx_load_config (config_file=0x0) at pbx_config.c:1341
ASTERISK-1  0x40a2fb27 in load_module () at pbx_config.c:1594
ASTERISK-2  0x080a1226 in load_resource (resource_name=0x8172e28 "pbx_config.so", global_symbols_only=1084425344) at loader.c:631
ASTERISK-3  0x080a0390 in load_modules (preload_only=0) at loader.c:816
ASTERISK-4  0x08068f8a in main (argc=-1073743600, argv=0xbffffb14) at asterisk.c:2723

The bug appears to be in the function CB_ADD(char *str), specifically line 99 of config.c where it calls strlen(comment_buffer) without checking that comment_buffer isn't null.

Later in that function (after the ast_realloc call) the function simply returns if the buffer isn't allocated, and duplicating that call at the start of the function stops the crash.

By: Steve Murphy (murf) 2006-11-13 13:21:59.000-0600

The problem was the CB_ADD routine should not be called if withcomments==0.

This is my doing; I made a minor update to the surrounding "if" to fix it, and
this problem should be solved.

I committed this fix to 1.4 via r47576, and trunk via r47577

By: Steve Murphy (murf) 2006-11-13 13:22:51.000-0600

With fixes in 1.4 and trunk, this bug is closeable.