[Home]

Summary:ASTERISK-09196: crash situation in chan_sip
Reporter:zoa (zoa)Labels:
Date Opened:2007-04-05 06:45:28Date Closed:2007-07-09 21:20:47
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Core/General
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:The problem is in chan_sip:14838, sipsock_read():

ast_log(LOG_ERROR, "We could NOT get the channel lock for %s! \n", S_OR(p->owner->name, "- no channel name ??? - "));


The problem is that p->owner is NULL at this point, and even if there's
a check if p->owner->name is NULL, it can't catch the first dereference.


****** ADDITIONAL INFORMATION ******

Here's the relevant backtrace:

(gdb) bt
#0  0xb71d1804 in sipsock_read (id=0x81b2668, fd=17, events=1, ignore=0x0) at strings.h:34
#1  0x080a5e46 in ast_io_wait (ioc=0x81ab800, howlong=148) at io.c:279
#2  0xb71d22d3 in do_monitor (data=0x0) at chan_sip.c:15092
#3  0x080f4136 in dummy_start (data=0x81b0690) at utils.c:545
#4  0xb7d81b63 in start_thread () from /lib/tls/libpthread.so.0
ASTERISK-1  0xb7be918a in clone () from /lib/tls/libc.so.6

In strings.h on line 34 it's the static inline for ast_strlen_zero (it
shows like that even with the optimizations disabled). The function is
called only on that line, in the S_OR macro, and

(gdb) print p->owner
$3 = (struct ast_channel *) 0x0

I don't see a good solution to this, to check for p->owner beforehand is
still racy.


Here's bt full output:


(gdb) bt full
#0  0xb71d1804 in sipsock_read (id=0x81b2668, fd=17, events=1, ignore=0x0) at strings.h:34
       req = {rlPart1 = 0xb718e9ac "BYE", rlPart2 = 0xb718e9b0 "sip:003251725032@192.168.3.10", len = 742, headers = 13, method = 8, lines = 0, flags = 0, header = {0xb718e9ac "BYE",
   0xb718e9d7 "Record-Route: <sip:62.58.99.101;lr=on>", 0xb718e9ff "Via: SIP/2.0/UDP 62.58.99.101;branch=z9hG4bKebe4.3e2b5216.0",
   0xb718ea3c "Via: SIP/2.0/UDP 213.16.46.116:5060;branch=z9hG4bK44e5b6d8;rport=5060", 0xb718ea83 "From: \"bofrost13c2\" <sip:IMRO-CC-HALO@213.16.46.116>;tag=as506ec926",
   0xb718eac8 "To: <sip:003251725032@62.58.99.101>;tag=as0c4f3206", 0xb718eafc "Contact: <sip:IMRO-CC-HALO@213.16.46.116>", 0xb718eb27 "Call-ID: 728f05f45180869a3c52e0102af38077@213.16.46.116",
   0xb718eb60 "CSeq: 104 BYE", 0xb718eb6f "User-Agent: M1 Call", 0xb718eb84 "Max-Forwards: 16",
   0xb718eb96 "Proxy-Authorization: Digest username=\"IMRO-CC-HALO\", realm=\"m1call.com\", algorithm=MD5, uri=\"sip:003251725032@192.168.3.10\", nonce=\"4614d2ec2762a1cc0e00e17403245bfee0da90ff\", response=\"496b2382f710f7d"..., 0xb718ec7d "Content-Length: 0", 0xb718ec90 "", 0x0 <repeats 50 times>}, line = {0xb718ec92 "", 0x0 <repeats 63 times>},
 data = "BYE\000sip:003251725032@192.168.3.10\000SIP/2.0\000\000Record-Route: <sip:62.58.99.101;lr=on>\000\000Via: SIP/2.0/UDP 62.58.99.101;branch=z9hG4bKebe4.3e2b5216.0\000\000Via: SIP/2.0/UDP 213.16.46.116:5060;branch=z9hG4bK44e5b6"..., sdp_start = 0, sdp_end = 0}
       sin = {sin_family = 2, sin_port = 50195, sin_addr = {s_addr = 1701001790}, sin_zero = "\000\000\000\000\000\000\000"}
       p = (struct sip_pvt *) 0x83dfd78
       res = 742
       len = 16
       nounlock = 0
       recount = 0
       lockretry = 0
#1  0x080a5e46 in ast_io_wait (ioc=0x81ab800, howlong=148) at io.c:279
       res = 1
       x = 0
       origcnt = 1
#2  0xb71d22d3 in do_monitor (data=0x0) at chan_sip.c:15092
       res = 148
       sip = (struct sip_pvt *) 0x0
       peer = (struct sip_peer *) 0x0
       t = 1175769588
       fastrestart = 0
       lastpeernum = -1
       curpeernum = 2
       reloading = 0
#3  0x080f4136 in dummy_start (data=0x81b0690) at utils.c:545
       _buffer = {__routine = 0x80689d8 <ast_unregister_thread>, __arg = 0xb718fbb0, __canceltype = 0, __prev = 0x0}
       ret = (void *) 0x0
       a = {start_routine = 0xb71d1d64 <do_monitor>, data = 0x0, name = 0x81b0708 "do_monitor", ' ' <repeats 11 times>, "started at [15151] chan_sip.c restart_monitor()"}
#4  0xb7d81b63 in start_thread () from /lib/tls/libpthread.so.0
No symbol table info available.
ASTERISK-1  0xb7be918a in clone () from /lib/tls/libc.so.6
No symbol table info available.
Comments:By: Joshua C. Colp (jcolp) 2007-04-05 07:57:47

Fixed in 1.2 as of revision 60213, 1.4 as of revision 60214, and trunk as of revision 60215.