ASTERISK-09242: Asterisk 1.4.2 crash in put_unaligned

[Home]

Summary: ASTERISK-09242: Asterisk 1.4.2 crash in put_unaligned_uint32

Reporter: dmb (dmb) Labels:

Date Opened: 2007-04-11 04:48:58 Date Closed: 2011-06-07 14:00:58

Priority: Critical Regression? No

Status: Closed/Complete Components: Core/General

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) 9519-frchk.diff
( 1) core.1996.dbg
( 2) core.30156.gdb
( 3) core.9865.gdb
( 4) issue9519.diff

Description: Hello,
Sometimes my asterisk 1.4.2 crash in unaligned.h:49. The function is put_unaligned_uint32. I attach the gdb result for this core.
Any idea?

Comments: By: Joshua C. Colp (jcolp) 2007-04-11 09:10:32

If the backtrace is still available please open it and do the following:

frame 2
print *f

and add the output as a note here. Thanks!
By: dmb (dmb) 2007-04-11 09:43:45

Hello,
the result is:

(gdb) frame 2
#2 0x080db398 in ast_rtp_write (rtp=0x8591218, _f=0xb77b9f1c) at rtp.c:2717
2717 ast_rtp_raw_write(rtp, f, codec);
(gdb) print *f
$1 = {frametype = 0, subclass = 0, datalen = 0, samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0, src = 0x0, data = 0x0,
delivery = {tv_sec = 0, tv_usec = 0}, frame_list = {next = 0x0}, has_timing_info = 0, ts = 0, len = 0, seqno = 0}

By: dmb (dmb) 2007-04-17 09:34:09

Hello,
any idea about this?

thank you
By: dmb (dmb) 2007-05-10 09:46:40

Helloooooo????? Any idea about this :)

Thank you
By: Joshua C. Colp (jcolp) 2007-05-14 11:53:21

Please try the attached patch. Thanks!
By: dmb (dmb) 2007-05-28 11:05:28

Hello,
With that patch asterisk crash with the same error. I attach the gdb trace: core.9865.gdb.

Thank you!!!
By: Joshua C. Colp (jcolp) 2007-05-29 10:05:04

I need access to the machine where the core dumps are for this. Can you please email me at jcolp@digium.com so we can arrange something?
By: dmb (dmb) 2007-05-29 11:13:52

Hello,
it isn't possible. What do you need? I give you all your requests.

Thank you
By: dmb (dmb) 2007-05-29 11:28:07

Hello,
when asterisk crash:

IN RTP.C
/* Get a pointer to the header */
rtpheader = (unsigned char *)(f->data - hdrlen);

here f->data is null and hdrlen = 12 (C in hexa). After that subtract rtpheader value is 0xfffffff4. That's produce the crash in the next function calls. Why is the f->data null value not controled before the sustract?

Thank you
By: Joshua C. Colp (jcolp) 2007-05-29 11:46:38

Fixed in 1.4 as of revision 66437 and trunk as of revision 66438. I suspect it was never originally checked since nobody ever expected it to happen, I've added a check though now.
By: dmb (dmb) 2007-05-30 06:36:59

Hello,
if you attach the diff file for this, i could verify the correction.

Thank you for all.
By: Joshua C. Colp (jcolp) 2007-05-30 11:31:22

Patch attached as issue9519.diff, if this does not fix it please reopen. Peace.
By: dmb (dmb) 2007-06-18 02:55:22

Hello,
another core is reproduced in the same function with de patch. I attach the gdb file.

Thanks
By: Joshua C. Colp (jcolp) 2007-06-18 08:11:20

Would it be possible to upgrade to 1.4.5? Your code is now 3 versions out of date and modified so it is difficult to track things down.
By: Russell Bryant (russell) 2007-06-19 10:00:02

What architecture is this running on?
By: Joshua C. Colp (jcolp) 2007-08-06 12:26:58

It's been a month now without a response. If you can please upgrade and post the architecture this is running on feel free to reopen.