| Summary: | ASTERISK-09956: memory corruption on freebsd sparc64 | ||
| Reporter: | Mattias W Eriksson (mattias04) | Labels: | |
| Date Opened: | 2007-07-25 09:40:50 | Date Closed: | 2008-01-29 10:57:18.000-0600 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | after calling strchr in function set_address_from_contact() ... /* Grab host */ host = strchr(contact, '@'); ... memory gets corrupted. strchr should not alter input string. I suspect that ... /* Work on a copy */ contact = ast_strdupa(pvt->fullcontact); ... might have something to do with it. When doing some debugging I get this: njord*CLI> [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7779 set_address_from_contact: MWE DEBUG: pvt->fullcontact : 'sip:020252500@83.140.41.50' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7781 set_address_from_contact: MWE DEBUG: contact : 'sip:020252500@83.140.41.50' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7793 set_address_from_contact: MWE DEBUG: contact : '020252500@83.140.41.50' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7795 set_address_from_contact: MWE DEBUG: strchr contact : '020252500@83.140.41.' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7796 set_address_from_contact: MWE DEBUG: strchr host : '@83.140.41.' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7810 set_address_from_contact: MWE DEBUG: contact : '020252500' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7812 set_address_from_contact: MWE DEBUG: contact strsep : '020252500' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7813 set_address_from_contact: MWE DEBUG: host : '83.140.41.' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7815 set_address_from_contact: MWE DEBUG: host strsep : '83.140.41.' [Jul 25 14:11:43] WARNING[22832]: chan_sip.c:7821 set_address_from_contact: Invalid host name in Contact: (can't resolve in DNS) : '83.140.41.' [Jul 25 14:11:50] WARNING[22832]: chan_sip.c:12459 handle_response: Remote host can't match request BYE to call '2014421459e28760110e8f3a50dae531@cx-cust-shg As you can see the IP address 83.140.41.50 get truncated. ****** ADDITIONAL INFORMATION ****** I replace the strchr function with a statically allocated buffer, there is no problem: ... char *contact; char buf[BUFSIZ]; /* Work on a copy */ contact = ast_strdupa(pvt->fullcontact); buf[0] = '\0'; strncat(buf, pvt->fullcontact, BUFSIZ); contact = buf; .... My debugging output: njord*CLI> [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7781 set_address_from_contact: MWE DEBUG: pvt->fullcontact : 'sip:020252500@83.140.41.50' [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7786 set_address_from_contact: MWE DEBUG: contact : 'sip:020252500@83.140.41.50' [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7798 set_address_from_contact: MWE DEBUG: contact : '020252500@83.140.41.50' [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7808 set_address_from_contact: MWE DEBUG: strchr contact : '020252500@83.140.41.50' [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7809 set_address_from_contact: MWE DEBUG: strchr host : '@83.140.41.50' [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7823 set_address_from_contact: MWE DEBUG: contact : '020252500' [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7825 set_address_from_contact: MWE DEBUG: contact strsep : '020252500' [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7826 set_address_from_contact: MWE DEBUG: host : '83.140.41.50' [Jul 25 16:02:30] WARNING[61225]: chan_sip.c:7828 set_address_from_contact: MWE DEBUG: host strsep : '83.140.41.50' This has been tested and verified with asterisk 1.4.8 and 1.4.9 on freebsd 6.2 sparc64. Asterisk was build from ports. | ||
| Comments: | By: Mattias W Eriksson (mattias04) 2007-07-25 09:44:29 Sorry, the line contact = ast_strdupa(...) should be commented, like below: ... char *contact; char buf[BUFSIZ]; /* Work on a copy */ //contact = ast_strdupa(pvt->fullcontact); buf[0] = '\0'; strncat(buf, pvt->fullcontact, BUFSIZ); contact = buf; .... By: Mattias W Eriksson (mattias04) 2007-07-25 15:30:10 A side note: I'm using the automon feature at times, and I've seen that the filename occationally gets truncated, with some random characters, like this: monitor-20070725-101834-5302-0706828800.wav (correct filename) monitor-20070725-101834-530.wav (truncated filename) Do these two bugs have something in common? By: Mark Michelson (mmichelson) 2007-07-26 10:51:23 The only link I'm seeing between the two is that in order to create the space for the character strings, they both call strlen on the input and alloca to create a proper-sized stack buffer for the local strings. What compiler do you use to compile Asterisk? By: Mattias W Eriksson (mattias04) 2007-07-26 15:55:50 The version of gcc is (default in FreeBSD 6.2): [root@njord ~/bin/spamcop]# gcc --version gcc (GCC) 3.4.6 [FreeBSD] 20060305 Copyright (C) 2006 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Both Linux and FreeBSD man pages for alloca discourages the use of alloca(), I have never used the function myself, so I have no opinoin here. I can cleary see that it is a neet way of allocating memory. By: Mark Michelson (mmichelson) 2007-08-09 18:15:16 I sent an e-mail to the asterisk users list a week ago regarding this issue and received no responses. I've not heard of any other users who have had this issue, and there appears to be nothing wrong with the code. I'm closing this issue since I believe the problem to be dependent on your system. If someone finds a way to reliably reproduce this issue on similar systems, then please reopen. By: Digium Subversion (svnbot) 2008-01-28 12:31:33.000-0600 Repository: asterisk Revision: 100629 U branches/1.4/channels/chan_sip.c ------------------------------------------------------------------------ r100629 | russell | 2008-01-28 12:31:32 -0600 (Mon, 28 Jan 2008) | 5 lines For some reason, the use of this strdupa() is leading to memory corruption on freebsd sparc64. This trivial workaround fixes it. (closes issue ASTERISK-9956, closes issue ASTERISK-11316, reported by mattias04 and Home-of-the-Brave) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=100629 By: Digium Subversion (svnbot) 2008-01-28 12:36:20.000-0600 Repository: asterisk Revision: 100630 _U trunk/ U trunk/channels/chan_sip.c ------------------------------------------------------------------------ r100630 | russell | 2008-01-28 12:36:15 -0600 (Mon, 28 Jan 2008) | 13 lines Merged revisions 100629 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r100629 | russell | 2008-01-28 12:34:20 -0600 (Mon, 28 Jan 2008) | 5 lines For some reason, the use of this strdupa() is leading to memory corruption on freebsd sparc64. This trivial workaround fixes it. (closes issue ASTERISK-9956, closes issue ASTERISK-11316, reported by mattias04 and Home-of-the-Brave) ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=100630 By: Digium Subversion (svnbot) 2008-01-29 10:57:18.000-0600 Repository: asterisk Revision: 100881 _U team/murf/bug11210/ U team/murf/bug11210/apps/app_voicemail.c U team/murf/bug11210/build_tools/menuselect-deps.in U team/murf/bug11210/channels/Makefile U team/murf/bug11210/channels/chan_h323.c U team/murf/bug11210/channels/chan_iax2.c U team/murf/bug11210/channels/chan_local.c U team/murf/bug11210/channels/chan_mgcp.c U team/murf/bug11210/channels/chan_misdn.c U team/murf/bug11210/channels/chan_sip.c A team/murf/bug11210/channels/chan_vpb.cc U team/murf/bug11210/channels/chan_zap.c A team/murf/bug11210/configs/vpb.conf.sample U team/murf/bug11210/configure U team/murf/bug11210/configure.ac U team/murf/bug11210/doc/tex/channelvariables.tex U team/murf/bug11210/include/asterisk/autoconfig.h.in U team/murf/bug11210/include/asterisk/channel.h U team/murf/bug11210/include/asterisk/sched.h U team/murf/bug11210/main/cdr.c U team/murf/bug11210/main/channel.c U team/murf/bug11210/main/dnsmgr.c U team/murf/bug11210/main/features.c U team/murf/bug11210/main/file.c U team/murf/bug11210/main/logger.c U team/murf/bug11210/main/pbx.c U team/murf/bug11210/main/rtp.c U team/murf/bug11210/makeopts.in U team/murf/bug11210/pbx/pbx_dundi.c ------------------------------------------------------------------------ r100881 | murf | 2008-01-29 10:57:16 -0600 (Tue, 29 Jan 2008) | 213 lines Merged revisions 100488,100497,100514,100532-100533,100549,100565,100582,100625,100627-100628,100630-100632,100671,100674,100676-100679 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r100488 | tilghman | 2008-01-27 15:35:29 -0700 (Sun, 27 Jan 2008) | 19 lines Merged revisions 100465 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r100465 | tilghman | 2008-01-27 15:59:53 -0600 (Sun, 27 Jan 2008) | 11 lines When deleting a task from the scheduler, ignoring the return value could possibly cause memory to be accessed after it is freed, which causes all sorts of random memory corruption. Instead, if a deletion fails, wait a bit and try again (noting that another thread could change our taskid value). (closes issue ASTERISK-10897) Reported by: flujan Patches: 20080124__bug11386.diff.txt uploaded by Corydon76 (license 14) Tested by: Corydon76, flujan, stuarth` ........ ................ r100497 | tilghman | 2008-01-27 16:14:48 -0700 (Sun, 27 Jan 2008) | 5 lines With the switch to the ast_sched_replace* API in trunk, we lose the correction that was just merged from 1.4, so this is a changeover to those APIs to use the macro versions, so that we properly detect errors from ast_sched_del, instead of simply ignoring the return values. ................ r100514 | russell | 2008-01-27 17:56:14 -0700 (Sun, 27 Jan 2008) | 5 lines These readlocks always fail for me on my mac, and I saw it happen again today on another mac. We ignore the return value of locking operations almost everywhere in Asterisk. So, ignore these, as well, so Asterisk will actually work on systems where this is occurring while I look into what the issue is. ................ r100532 | russell | 2008-01-27 21:30:44 -0700 (Sun, 27 Jan 2008) | 3 lines - Simplify a line with ARRAY_LEN() - Make a few little formatting changes ................ r100533 | russell | 2008-01-27 21:43:14 -0700 (Sun, 27 Jan 2008) | 2 lines Make a couple more uses of ARRAY_LEN, and convert some spaces to tabs ................ r100549 | file | 2008-01-28 06:57:38 -0700 (Mon, 28 Jan 2008) | 4 lines Don't do a network byte order conversion when setting the socket's port variable to that of bindaddr's. It is already in the correct network byte order. (closes issue ASTERISK-11268) Reported by: hmodes ................ r100565 | russell | 2008-01-28 07:27:28 -0700 (Mon, 28 Jan 2008) | 2 lines Clean up some formatting, and simplify a bit of code using ast_str ................ r100582 | russell | 2008-01-28 10:21:24 -0700 (Mon, 28 Jan 2008) | 17 lines Merged revisions 100581 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r100581 | russell | 2008-01-28 11:15:41 -0600 (Mon, 28 Jan 2008) | 9 lines Make some deadlock related fixes. These bugs were discovered and reported internally at Digium by Steve Pitts. - Fix up chan_local to ensure that the channel lock is held before the local pvt lock. - Don't hold the channel lock when executing the timing function, as it can cause a deadlock when using chan_local. This actually changes the code back to be how it was before the change for issue ASTERISK-10339. But, I added some other locking that I think will prevent the problem reported there, as well. ........ ................ r100625 | qwell | 2008-01-28 11:24:40 -0700 (Mon, 28 Jan 2008) | 9 lines Merged revisions 100624 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r100624 | qwell | 2008-01-28 12:23:09 -0600 (Mon, 28 Jan 2008) | 1 line Correct a comment which made little/no sense. ........ ................ r100627 | russell | 2008-01-28 11:27:08 -0700 (Mon, 28 Jan 2008) | 15 lines Merged revisions 100626 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r100626 | russell | 2008-01-28 12:26:31 -0600 (Mon, 28 Jan 2008) | 7 lines Fix a crash in ast_masq_park_call() (issue ASTERISK-10856) Reported by: DEA Patches: res_features-park.txt uploaded by DEA (license 3) ........ ................ r100628 | tilghman | 2008-01-28 11:27:29 -0700 (Mon, 28 Jan 2008) | 3 lines Normalize the detection for execinfo, so that Linux (glibc) and other platforms with libexecinfo will generate inline stack backtraces correctly. ................ r100630 | russell | 2008-01-28 11:38:56 -0700 (Mon, 28 Jan 2008) | 13 lines Merged revisions 100629 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r100629 | russell | 2008-01-28 12:34:20 -0600 (Mon, 28 Jan 2008) | 5 lines For some reason, the use of this strdupa() is leading to memory corruption on freebsd sparc64. This trivial workaround fixes it. (closes issue ASTERISK-9956, closes issue ASTERISK-11316, reported by mattias04 and Home-of-the-Brave) ........ ................ r100631 | russell | 2008-01-28 11:41:23 -0700 (Mon, 28 Jan 2008) | 3 lines Merge rev 100626 from Asterisk 1.4. The svnmerge of this commit was a NoOp, since res_features doesn't exist in trunk. Thanks to qwell for pointing it out! ................ r100632 | file | 2008-01-28 12:04:53 -0700 (Mon, 28 Jan 2008) | 2 lines Fix up two scheduling issues. In one instance a scheduled item was not deleted when it should have been and in the other it was scheduled again when it shouldn't have been. ................ r100671 | file | 2008-01-28 13:40:08 -0700 (Mon, 28 Jan 2008) | 6 lines Fix up some T38 state change issues. (closes issue ASTERISK-11106) Reported by: dimas Patches: v2-sip-t38state.patch uploaded by dimas (license 88) ................ r100674 | mmichelson | 2008-01-28 13:58:12 -0700 (Mon, 28 Jan 2008) | 10 lines Blocked revisions 100673 via svnmerge ........ r100673 | mmichelson | 2008-01-28 14:55:56 -0600 (Mon, 28 Jan 2008) | 3 lines Undoing the deprecation of chan_vpb. It is alive and well. ........ ................ r100676 | qwell | 2008-01-28 14:02:11 -0700 (Mon, 28 Jan 2008) | 16 lines Merged revisions 100672 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 (closes issue ASTERISK-11263) ........ r100672 | qwell | 2008-01-28 14:42:43 -0600 (Mon, 28 Jan 2008) | 7 lines When using ODBC_STORAGE, make sure we put greeting files into the database like we do with the others. Issue ASTERISK-11263 Reported by: dimas Patches: vmgreet.patch uploaded by dimas (license 88) ........ ................ r100677 | tilghman | 2008-01-28 14:05:29 -0700 (Mon, 28 Jan 2008) | 10 lines Merged revisions 100675 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r100675 | tilghman | 2008-01-28 15:02:02 -0600 (Mon, 28 Jan 2008) | 2 lines WaitExten didn't handle AbsoluteTimeout properly (went to 't' instead of 'T') ........ ................ r100678 | mmichelson | 2008-01-28 14:07:18 -0700 (Mon, 28 Jan 2008) | 3 lines Re-inserting chan_vpb into trunk. ................ r100679 | qwell | 2008-01-28 14:11:24 -0700 (Mon, 28 Jan 2008) | 1 line Reintroduce more chan_vpb stuff that was removed in r100421 and r100422 ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=100881 | ||