| Summary: | ASTERISK-10626: Segfault in strlen from ast_dynamic_str_thread_build_va __iax2_poke_noanswer | ||
| Reporter: | Leif Jackson (ljackson) | Labels: | |
| Date Opened: | 2007-10-26 10:06:37 | Date Closed: | 2007-10-30 16:21:08 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_iax2 |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) bt-full.iax2-crash.txt | |
| Description: | AFter disconnecting a registerd IAX client's ethernet cable local to the asterisk server about a 1/10 chance that asterisk will crash with the following bt from the core: Core was generated by `/usr/sbin/asterisk -f -vvvg -c'. Program terminated with signal 11, Segmentation fault. #0 0x002c130b in strlen () from /lib/libc.so.6 (gdb) where #0 0x002c130b in strlen () from /lib/libc.so.6 #1 0x00293f82 in vfprintf () from /lib/libc.so.6 #2 0x002b24b4 in vsnprintf () from /lib/libc.so.6 #3 0x080facad in ast_dynamic_str_thread_build_va (buf=0xb7b4b1f0, max_len=8192, ts=0x8157444, append=0, fmt=0x1007744 "Peer '%s' is now UNREACHABLE! Time: %d\n", ap=0xb7b4b244 "9") at utils.c:1246 #4 0x080ae31f in ast_log (level=2, file=0x1003cd3 "chan_iax2.c", line=8467, function=0x100772c "__iax2_poke_noanswer", fmt=0x1007744 "Peer '%s' is now UNREACHABLE! Time: %d\n") at logger.c:799 ASTERISK-1 0x00ff3c61 in __iax2_poke_noanswer (data=0xa1b37f8) at chan_iax2.c:8467 ASTERISK-2 0x00ff2e92 in iax2_process_thread (data=0xa170778) at chan_iax2.c:8259 ASTERISK-3 0x080f9e58 in dummy_start (data=0xa16c5f0) at utils.c:806 ASTERISK-4 0x003c82db in start_thread () from /lib/libpthread.so.0 ASTERISK-5 0x0032212e in clone () from /lib/libc.so.6 (gdb) frame 3 #3 0x080facad in ast_dynamic_str_thread_build_va (buf=0xb7b4b1f0, max_len=8192, ts=0x8157444, append=0, fmt=0x1007744 "Peer '%s' is now UNREACHABLE! Time: %d\n", ap=0xb7b4b244 "9") at utils.c:1246 1246 res = vsnprintf((*buf)->str + offset, (*buf)->len - offset, fmt, ap); (gdb) p buf $1 = (struct ast_dynamic_str **) 0xb7b4b1f0 (gdb) p buf->str $2 = 0xa1b565c "Peer '6 10:44:54] NOTICE[14110] chan_iax2.c: " (gdb) p fmt $3 = 0x1007744 "Peer '%s' is now UNREACHABLE! Time: %d\n" (gdb) p ap $4 = 0xb7b4b244 "9" looking at chan_iax2.c:8467 if (peer->lastms > -1) { ast_log(LOG_NOTICE, "Peer '%s' is now UNREACHABLE! Time: %d\n", peer->name, peer->lastms); manager_event(EVENT_FLAG_SYSTEM, "PeerStatus", "Peer: IAX2/%s\r\nPeerStatus: Unreachable\r\nTime: %d\r\n", peer->name, peer->lastms); ast_device_state_changed("IAX2/%s", peer->name); /* Activate notification */ } seems peer->name is a invalid address any way to avoid this or check for it? Thanks, Leif | ||
| Comments: | By: Digium Subversion (svnbot) 2007-10-30 10:51:02 Repository: asterisk Revision: 87569 A team/russell/iax2_poke_fix/ ------------------------------------------------------------------------ r87569 | russell | 2007-10-30 10:51:00 -0500 (Tue, 30 Oct 2007) | 9 lines Create a branch for a small project I'm working on. There is a race condition related to the handling of POKEing peers. Essentially, a reference to a peer is held by the scheduler when there are pending callbacks, but the reference count doesn't reflect it. So, it is possible for a peer to hit a reference count of zero and have its destructor begin to be called at the same time that the scheduler thread runs a POKE related callback. If that happens, a crash will likely occur. (related to issues ASTERISK-10614, ASTERISK-10626) ------------------------------------------------------------------------ By: Digium Subversion (svnbot) 2007-10-30 16:18:07 Repository: asterisk Revision: 87686 U branches/1.4/channels/chan_iax2.c ------------------------------------------------------------------------ r87686 | russell | 2007-10-30 16:18:06 -0500 (Tue, 30 Oct 2007) | 11 lines Merge the changes from team/russell/iax2_poke_fix and iax2-poke-fix-trunk There was a race condition related to the handling of POKEing peers. Essentially, a reference to a peer is held by the scheduler when there are pending callbacks, but the reference count didn't reflect it. So, it was possible for a peer to hit a reference count of zero and have its destructor begin to be called at the same time that the scheduler thread ran a POKE related callback. If that happened, a crash would likely occur. (closes issue ASTERISK-10614, closes issue ASTERISK-10626) ------------------------------------------------------------------------ By: Digium Subversion (svnbot) 2007-10-30 16:21:08 Repository: asterisk Revision: 87687 _U trunk/ U trunk/channels/chan_iax2.c ------------------------------------------------------------------------ r87687 | russell | 2007-10-30 16:21:07 -0500 (Tue, 30 Oct 2007) | 19 lines Merged revisions 87686 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r87686 | russell | 2007-10-30 16:19:09 -0500 (Tue, 30 Oct 2007) | 11 lines Merge the changes from team/russell/iax2_poke_fix and iax2-poke-fix-trunk There was a race condition related to the handling of POKEing peers. Essentially, a reference to a peer is held by the scheduler when there are pending callbacks, but the reference count didn't reflect it. So, it was possible for a peer to hit a reference count of zero and have its destructor begin to be called at the same time that the scheduler thread ran a POKE related callback. If that happened, a crash would likely occur. (closes issue ASTERISK-10614, closes issue ASTERISK-10626) ........ ------------------------------------------------------------------------ | ||