[Home]

Summary:ASTERISK-09860: Invalid memory reference crash in aji_handle_presence
Reporter:Daniel McKeehan (danmckeehan)Labels:
Date Opened:2007-07-11 15:22:24Date Closed:2007-08-16 04:27:32
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Resources/res_jabber
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) trunk-10184_log-1.diff
Description:I have had the following crash several times.  Crash is in res_jabber:
ASTERISK-3  0x0012bf8b in aji_handle_presence (client=Cannot access memory at address 0xb02b102c
) at res_jabber.c:1283
       status = Cannot access memory at address 0xb02b1018

1283                    if (!strcasecmp(tmp->resource, pak->from->resource)) {

(gdb) bt full
#0  0x005388f7 in strcasecmp () from /lib/libc.so.6
No symbol table info available.
#1  0x000000b0 in ?? ()
No symbol table info available.
#2  0x0000006c in ?? ()
No symbol table info available.
#3  0x00133130 in ?? () from /usr/lib/asterisk/modules/res_jabber.so
No symbol table info available.
#4  0x092b1024 in ?? ()
No symbol table info available.
ASTERISK-1  0x0913ae04 in ?? ()
No symbol table info available.
ASTERISK-2  0xb7d37e78 in ?? ()
No symbol table info available.
ASTERISK-3  0x0012bf8b in aji_handle_presence (client=Cannot access memory at address 0xb02b102c
) at res_jabber.c:1283
       status = Cannot access memory at address 0xb02b1018


(gdb) list res_jabber.c:1283
warning: Source file is more recent than executable.

1278            priority = atoi((iks_find_cdata(pak->x, "priority")) ? iks_find_cdata(pak->x, "priority") : "0");
1279            tmp = buddy->resources;
1280            descrip = ast_strdup(iks_find_cdata(pak->x,"status"));
1281
1282            while (tmp) {
1283                    if (!strcasecmp(tmp->resource, pak->from->resource)) {
1284                            tmp->status = status;
1285                            if (tmp->description) ast_free(tmp->description);
1286                            tmp->description = descrip;
1287                            found = tmp;
Comments:By: Daniel McKeehan (danmckeehan) 2007-07-13 00:33:04

This is a new issue not related to ASTERISK-9709767 so please don't mark it duplicate.
By: phsultan (phsultan) 2007-07-13 04:13:18

Hi Dan,

I have a few questions here :
- are you using an SVN trunk or 1.4 branch of Asterisk ;
- did you modify res_jabber.c (line numbers don't match with my revisions of res_jabber.c) ;
- can you post your jabber.conf file?

Having a console debug with the jabber messages would help too, thanks!
By: Daniel McKeehan (danmckeehan) 2007-07-13 17:00:23

- I am using the SVN trunk http://svn.digium.com/svn/asterisk/trunk/res/res_jabber.c
- Not sure rev 73152

jabber.conf
[general]
debug=no
autoprune=no                ;;Auto remove users from buddy list.
autoregister=yes            ;;Auto register users from buddy list.

;Only one account works others die with a jid error
[gtalk_account]
type=client
serverhost=talk.google.com
username=****@gmail.com/Talk
secret=****
port=5222
usetls=yes
usesasl=yes
statusmessage="****"
timeout=10000

There aren't any jabber logs
By: phsultan (phsultan) 2007-07-16 10:27:11

Not being able to reproduce this, I really need some debug information to move on. Please do the following :
- set the 'debug' option to 'yes' in your jabber.conf file ;
- check your /etc/asterisk/logger.conf file and make sure your 'console' entry contains a 'debug' attribute, ex :
 console => notice, warning, error, debug, verbose
- run asterisk with the debug option (-ddd).

Also, line 1283 in my revision of res_jabber.c does not match with yours. What's the output of the following commands (first cd to your Asterisk trunk source) :
- svn diff res/res_jabber.c
- svn info res/res_jabber.c
By: Daniel McKeehan (danmckeehan) 2007-07-16 16:32:01

Got another crash with more info:

0  0x00c24b79 in strcasecmp () from /lib/tls/libc.so.6
#1  0x002f58a1 in aji_handle_presence (client=0x8fffa80, pak=0x911320c) at res_jabber.c:1300
#2  0x002f6729 in aji_act_hook (data=0x8fffa80, type=1, node=0x91171f4) at res_jabber.c:728
#3  0x009c522f in tagHook (data=0x900064c, name=0x914c000 "presence", atts=0x0, type=1) at stream.c:281
#4  0x009c34fa in iks_parse (prs=0x900068c,
   data=0x9040700 "<presence from=\"redexpo@gmail.com/Talk.v93CC3FA0DC\" to=\"show2.nowlive.com@gmail.com\"><status>Skype ID: redexpo</status><priority>0</priority><c node=\"http://www.google.com/xmpp/client/caps\" ver=\"1.0.0"..., len=368, finish=0) at sax.c:323
ASTERISK-1  0x009c4cf4 in iks_recv (prs=0x900068c, timeout=1) at stream.c:471
ASTERISK-2  0x002f5154 in aji_recv_loop (data=0x8fffa80) at res_jabber.c:1658
ASTERISK-3  0x080ff2e5 in dummy_start (data=0xce23a0) at utils.c:546
ASTERISK-4  0x00d2a3cc in start_thread () from /lib/tls/libpthread.so.0
ASTERISK-5  0x00c82c3e in clone () from /lib/tls/libc.so.6

The line numbers are off because of some logging and various patches for google talk.  Interestingly enough this user is using the 1.0.0.93 version of the client and pushes its presence every couple seconds.
By: Daniel McKeehan (danmckeehan) 2007-07-16 16:34:49

I added the following to the file before the strcasecmp to check for null pointers
+               if(!tmp->resource) {
+                       ast_log(LOG_ERROR, "!!!! tmp resource was null!\n");
+                       break;
+               }
+               if(!pak) {
+            ast_log(LOG_ERROR, "!!!! pak resource was null!\n");
+                       break;
+               }
+        if(!pak->from) {
+            ast_log(LOG_ERROR, "!!!! pak from  resource was null!\n");
+                       break;
+        }
+        if(!pak->from->resource) {
+            ast_log(LOG_ERROR, "!!!! pak from resource resource was null!\n");
+               break;
+               }

None of these logged so the reference is an invalid pointer possibly cause by iksemel processing.
By: phsultan (phsultan) 2007-07-17 03:42:36

Did you try the trunk revision without modifying it? You can post your diff file here too if you want, so that we can make sure that your modifications are not the cause of the problem.

Anyhow, we must work on a common basis.

Please also turn the debug messages on (see my previous note), and apply the attached log patch. We need to spot the 'resource' value that's crashing Asterisk, which in your case is apparently not a NULL pointer.
By: phsultan (phsultan) 2007-08-13 05:19:09

I have been working with Dan on this problem for a couple of days now, two problems have shown up, both related to the resource jid processing in the aji_handle_presence function.

Upon priority change, the resource list is not NULL terminated when moving an item to the end of the list. This makes Asterisk endlessy loop whenever reading the list.

Upon reception of a 'from' attribute with an empty resource string, Asterisk crashes when trying to access the found->cap pointer if the resource list for the given buddy is not empty. This situation is perfectly valid and must be handled.

I will provide a fix to both problems soon.
By: Digium Subversion (svnbot) 2007-08-16 04:19:22

Repository: asterisk
Revision: 79665

------------------------------------------------------------------------
r79665 | phsultan | 2007-08-16 04:19:21 -0500 (Thu, 16 Aug 2007) | 21 lines

A fix for two critical problems detected while working with Daniel
McKeehan in issue ASTERISK-9860.

Upon priority change, the resource list is not NULL terminated when
moving an item to the end of the list. This makes Asterisk endlessy
loop whenever it needs to read the list. Jids with different resource and
priority values, like in Gmail's and GoogleTalk's jabber clients put
that problem in evidence.

Upon reception of a 'from' attribute with an empty resource string,
Asterisk crashes when trying to access the found->cap pointer if the
resource list for the given buddy is not empty. This situation is
perfectly valid and must be handled. The Gizmoproject's jabber client
put that problem in evidence.

Also added a few comments in the code as well as a handle for the
capabilities from Gmail's jabber client, which are stored in a caps:c tag
rather than the usual c tag.

Closes issue ASTERISK-9860.

------------------------------------------------------------------------
By: Digium Subversion (svnbot) 2007-08-16 04:27:32

Repository: asterisk
Revision: 79666

------------------------------------------------------------------------
r79666 | phsultan | 2007-08-16 04:27:31 -0500 (Thu, 16 Aug 2007) | 29 lines

Merged revisions 79665 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
r79665 | phsultan | 2007-08-16 11:37:10 +0200 (Thu, 16 Aug 2007) | 21 lines

A fix for two critical problems detected while working with Daniel
McKeehan in issue ASTERISK-9860.

Upon priority change, the resource list is not NULL terminated when
moving an item to the end of the list. This makes Asterisk endlessy
loop whenever it needs to read the list. Jids with different resource and
priority values, like in Gmail's and GoogleTalk's jabber clients put
that problem in evidence.

Upon reception of a 'from' attribute with an empty resource string,
Asterisk crashes when trying to access the found->cap pointer if the
resource list for the given buddy is not empty. This situation is
perfectly valid and must be handled. The Gizmoproject's jabber client
put that problem in evidence.

Also added a few comments in the code as well as a handle for the
capabilities from Gmail's jabber client, which are stored in a caps:c tag
rather than the usual c tag.

Closes issue ASTERISK-9860.

........

------------------------------------------------------------------------