| Summary: | ASTERISK-10591: Passing a NULL value back from IF() to Set() on 64-bit crashes Asterisk | ||
| Reporter: | Leif Madsen (lmadsen) | Labels: | |
| Date Opened: | 2007-10-22 12:43:29 | Date Closed: | 2007-10-23 16:04:45 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Functions/func_logic |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) backtrace.txt | |
| Description: | Here is the offending dialplan line: exten => _X.,n,Set(RING_CYCLE=${IF($[${ISNULL(${ARG3})} & ${EXISTS(${RING_CYCLE})}]?${RING_CYCLE})}) If the IF() function returns NULL (false branch), then Asterisk will crash. Doing: Set(RING_CYCLE=) Does not crash Asterisk, so it seems to be something that the IF() is passing back. This works fine on a 32-bit OS. | ||
| Comments: | By: Leif Madsen (lmadsen) 2007-10-22 14:33:31 with DEBUG_MALLOC on, I get this in mmlog: WARNING: Freeing unused memory at (nil), in ast_yyfree of ast_expr2f.c, line 3091 By: Tilghman Lesher (tilghman) 2007-10-22 14:34:09 Additional debugging solicited via IRC indicated a memory allocation problem in ast_expr2f.c By: Steve Murphy (murf) 2007-10-23 15:53:36 OK, the problem is this: 1. the IF function in this case will evaluate to "<expr>?" with <expr> replaced by the above. This will will be handed to a parse call using ? as the sep. 2. This separate_args will set arg1 to the <expr> and will set the arg1.remainder variable in the IF func body to NULL. 3. The next call to parse arg1.remainder fails to set arg2.iffalse, which on certain 64-bit platforms, at certain moon phases, will have garbage in it, which will lead to a crash. 4. Efforts to 'fix' the separate_args code to always set all args to something ended in disaster. This was not the right way to fix it. 5. Added a check for this condition to the IF func code. This will now see this kind of situation and log an error in the function input, and return a -1 value. By: Digium Subversion (svnbot) 2007-10-23 15:57:12 Repository: asterisk Revision: 86902 U branches/1.4/funcs/func_logic.c ------------------------------------------------------------------------ r86902 | murf | 2007-10-23 15:57:11 -0500 (Tue, 23 Oct 2007) | 1 line closes issue ASTERISK-10591 -- where nothing after the ? will allow un-initialized variable values to corrupt and crash asterisk on 64-bit platforms ------------------------------------------------------------------------ By: Digium Subversion (svnbot) 2007-10-23 16:04:45 Repository: asterisk Revision: 86903 _U trunk/ U trunk/funcs/func_logic.c ------------------------------------------------------------------------ r86903 | murf | 2007-10-23 16:04:44 -0500 (Tue, 23 Oct 2007) | 9 lines Merged revisions 86902 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r86902 | murf | 2007-10-23 15:18:08 -0600 (Tue, 23 Oct 2007) | 1 line closes issue ASTERISK-10591 -- where nothing after the ? will allow un-initialized variable values to corrupt and crash asterisk on 64-bit platforms ........ ------------------------------------------------------------------------ | ||