Summary: | ASTERISK-10783: When invalid IP address is specified chan_iax2 crashes. | ||
Reporter: | Jon Creasy (johann8384) | Labels: | |
Date Opened: | 2007-11-15 16:56:28.000-0600 | Date Closed: | 2011-06-07 14:00:52 |
Priority: | Critical | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_iax2 |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | Asterisk SVN-branch-1.4-r80895, Copyright (C) 1999 - 2007 Digium, Inc. and others. Created by Mark Spencer <markster@digium.com> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details. This is free software, with components licensed under the GNU General Public License version 2 and other licenses; you are welcome to redistribute it under certain conditions. Type 'core show license' for details. ========================================================================= Connected to Asterisk SVN-branch-1.4-r80895 currently running on lindberg (pid = 9901) -- Remote UNIX connection Verbosity is at least 3 lindberg*CLI> *** glibc detected *** double free or corruption (fasttop): 0x0847b7c0 *** [Nov 15 22:20:53] WARNING[9916]: acl.c:245 ast_get_ip_or_srv: Unable to lookup '99.266.131.41' lindberg*CLI> /usr/sbin/safe_asterisk: line 60: 9901 Aborted (core dumped) nice -n $PRIORITY asterisk ${CLIARGS} ${ASTARGS} >&/dev/${TTY} </dev/${TTY} Disconnected from Asterisk server Asterisk ended with exit status 134 Asterisk exited on signal 6. Automatically restarting Asterisk. root@lindberg:~# ****** ADDITIONAL INFORMATION ****** (gdb) backtrace #0 0xffffe410 in __kernel_vsyscall () #1 0xb7b109a1 in raise () from /lib/tls/i686/cmov/libc.so.6 #2 0xb7b122b9 in abort () from /lib/tls/i686/cmov/libc.so.6 #3 0xb7b4487a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6 #4 0xb7b4afd4 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6 ASTERISK-1 0xb7b4b34a in free () from /lib/tls/i686/cmov/libc.so.6 ASTERISK-2 0x0815607a in peer_destructor (obj=0x846c000) at chan_iax2.c:8910 ASTERISK-3 0x08071eab in ao2_ref (user_data=0x4b, delta=-1) at astobj2.c:173 ASTERISK-4 0x0814d7c3 in build_peer (name=<value optimized out>, v=0x8464440, alt=0x0, temponly=0) at chan_iax2.c:1135 ASTERISK-5 0x0815ae76 in realtime_peer (peername=0x8464385 "skytelnet17", sin=0x0) at chan_iax2.c:2694 ASTERISK-6 0x08159d05 in find_callno (callno=5, dcallno=0, sin=0xb7704330, new=1, sockfd=0) at chan_iax2.c:1170 ASTERISK-7 0x0815f072 in socket_process (thread=0x8458d70) at chan_iax2.c:6866 ASTERISK-8 0x08167afa in iax2_process_thread (data=0x8458d70) at chan_iax2.c:8248 ASTERISK-9 0x080f7150 in dummy_start (data=0x0) at utils.c:775 ASTERISK-10 0xb7f32341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 ASTERISK-11 0xb7bb14ee in clone () from /lib/tls/i686/cmov/libc.so.6 (gdb) backtrace full #0 0xffffe410 in __kernel_vsyscall () No symbol table info available. #1 0xb7b109a1 in raise () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. #2 0xb7b122b9 in abort () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. #3 0xb7b4487a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. #4 0xb7b4afd4 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. ASTERISK-1 0xb7b4b34a in free () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. ASTERISK-2 0x0815607a in peer_destructor (obj=0x846c000) at chan_iax2.c:8910 this = (struct ast_string_field_pool *) 0x0 prev = (struct ast_string_field_pool *) 0xb7c12adc peer = <value optimized out> ASTERISK-3 0x08071eab in ao2_ref (user_data=0x4b, delta=-1) at astobj2.c:173 current_value = <value optimized out> ret = 20 obj = (struct astobj2 *) 0x846bfd8 __PRETTY_FUNCTION__ = "ao2_ref" ASTERISK-4 0x0814d7c3 in build_peer (name=<value optimized out>, v=0x8464440, alt=0x0, temponly=0) at chan_iax2.c:1135 __zz__ = <value optimized out> peer = (struct iax2_peer *) 0x846c000 oldha = (struct ast_ha *) 0x0 maskfound = 0 found = 0 tmp_peer = {__begin_field = 0xb77019b0, name = 0x8464385 "skytelnet17", username = 0x0, secret = 0x0, dbsecret = 0x0, outkey = 0x0, regexten = 0x0, context = 0x0, peercontext = 0x0, mailbox = 0x0, mohinterpret = 0x0, mohsuggest = 0x0, inkeys = 0x0, cid_num = 0x0, cid_name = 0x0, zonetag = 0x0, __end_field = 0xb77019ec, __field_mgr = {pool = 0x0, size = 0, space = 0, used = 0}, prefs = { order = '\0' <repeats 31 times>, framing = '\0' <repeats 31 times>}, dnsmgr = 0x0, addr = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, formats = 0, sockfd = 0, mask = {s_addr = 0}, adsi = 0, flags = 0, defaddr = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, authmethods = 0, encmethods = 0, expire = 0, expiry = 0, capability = 0, callno = 0, pokeexpire = 0, lastms = 0, maxms = 0, pokefreqok = 0, pokefreqnotok = 0, historicms = 0, smoothing = 0, ha = 0x0} __PRETTY_FUNCTION__ = "build_peer" ASTERISK-5 0x0815ae76 in realtime_peer (peername=0x8464385 "skytelnet17", sin=0x0) at chan_iax2.c:2694 var = (struct ast_variable *) 0x846c520 tmp = (struct ast_variable *) 0x0 peer = <value optimized out> regseconds = 0 nowtime = <value optimized out> dynamic = <value optimized out> __PRETTY_FUNCTION__ = "realtime_peer" ASTERISK-6 0x08159d05 in find_callno (callno=5, dcallno=0, sin=0xb7704330, new=1, sockfd=0) at chan_iax2.c:1170 res = 0 x = <value optimized out> now = {tv_sec = -1217389272, tv_usec = 1} host = "°\220À·è\000\000\000P\023G\b", '\0' <repeats 16 times>, "Ü*Á· CÁ·@\016G\bÈ\034p·J³´· CÁ·@\016G\b\000\000\000\000@\016G\b\n\000\000\000(\035p·n]\025\b@\016G\b" __PRETTY_FUNCTION__ = "find_callno" ASTERISK-7 0x0815f072 in socket_process (thread=0x8458d70) at chan_iax2.c:6866 metatype = <value optimized out> sin = {sin_family = 2, sin_port = 55569, sin_addr = {s_addr = 696493667}, sin_zero = "\000\000\000\000\000\000\000"} res = 12 updatehistory = <value optimized out> new = <value optimized out> ptr = <value optimized out> dcallno = 6 fh = (struct ast_iax2_full_hdr *) 0x8458df0 cur = <value optimized out> f = {frametype = AST_FRAME_IAX, subclass = 30, datalen = 0, samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0, src = 0x0, data = 0x0, delivery = {tv_sec = 0, tv_usec = 0}, frame_list = { next = 0x0}, has_timing_info = 0, ts = 0, len = 0, seqno = 0} c = <value optimized out> dp = <value optimized out> ---Type <return> to continue, or q <return> to quit--- tpeer = <value optimized out> ies = {called_number = 0x0, calling_number = 0x0, calling_ani = 0x0, calling_name = 0x0, calling_ton = -1, calling_tns = -1, calling_pres = -1, called_context = 0x0, username = 0x8458dfe "+14439924010", password = 0x0, capability = 0, format = 0, codec_prefs = 0x0, language = 0x0, version = 0, adsicpe = 0, dnid = 0x0, rdnis = 0x0, authmethods = 0, encmethods = 0, challenge = 0x0, md5_result = 0x0, rsa_result = 0x0, apparent_addr = 0x0, refresh = 60, dpstatus = 0, callno = 0, cause = 0x0, causecode = 0 '\0', iax_unknown = 0 '\0', msgcount = -1, autoanswer = 0, musiconhold = 0, transferid = 0, datetime = 0, devicetype = 0x0, serviceident = 0x0, firmwarever = -1, fwdesc = 0, fwdata = 0x0, fwdatalen = 0 '\0', enckey = 0x0, enckeylen = 0 '\0', provver = 0, samprate = 1, provverpres = 0, rr_jitter = 0, rr_loss = 0, rr_pkts = 0, rr_delay = 0, rr_dropped = 0, rr_ooo = 0} ied0 = {buf = '\0' <repeats 1023 times>, pos = 0} ied1 = {buf = '\0' <repeats 1023 times>, pos = 0} format = <value optimized out> fd = 14 exists = <value optimized out> minivid = 0 empty = '\0' <repeats 31 times> duped_fr = <value optimized out> host_pref_buf = '\0' <repeats 127 times> caller_pref_buf = '\0' <repeats 127 times> pref = {order = '\0' <repeats 31 times>, framing = '\0' <repeats 16 times>, "dª´·", '\0' <repeats 11 times>} using_prefs = <value optimized out> __PRETTY_FUNCTION__ = "socket_process" ASTERISK-8 0x08167afa in iax2_process_thread (data=0x8458d70) at chan_iax2.c:8248 curelm = <value optimized out> __res = (struct iax2_thread *) 0x1 _buffer = {__routine = 0x814fb80 <iax2_process_thread_cleanup>, __arg = 0x8458d70, __canceltype = 136854760, __prev = 0xb770442c} thread = (struct iax2_thread *) 0x0 ts = {tv_sec = -1212894390, tv_nsec = -1212071136} put_into_idle = 1 ASTERISK-9 0x080f7150 in dummy_start (data=0x0) at utils.c:775 _buffer = {__routine = 0x806bda0 <ast_unregister_thread>, __arg = 0xb7704bb0, __canceltype = 0, __prev = 0x0} ret = <value optimized out> ASTERISK-10 0xb7f32341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 No symbol table info available. ASTERISK-11 0xb7bb14ee in clone () from /lib/tls/i686/cmov/libc.so.6 No symbol table info available. (gdb) | ||
Comments: | By: Jon Creasy (johann8384) 2007-11-15 16:56:53.000-0600 We'll try to submit a patch assuming this isn't fixed in the latest version. We'll check that also. By: Jason Parker (jparker) 2007-11-15 17:08:50.000-0600 Where does the invalid IP need to be specified for this to happen? Config file? By: Tilghman Lesher (tilghman) 2007-11-15 18:10:24.000-0600 Can you replicate this as of revision 89312 or later? I made a logic fix, and I suspect that's the fix for this, but I can't be sure. By: Jon Creasy (johann8384) 2007-11-15 20:00:24.000-0600 I'll setup in the lab to replicate it. We are planning to get together tonight and knock out a fix for this, it leaves us in a really bad spot because it is so easy to do. We specified this IP in the host field in the table being used by the realtime config. I did an IAX2 reload and it crashed. I'll recreate it in the latest trunk and we'll get a patch done tonight if you haven't already gotten it. By: Tilghman Lesher (tilghman) 2007-11-15 21:47:51.000-0600 Wait... are you running 1.4 or trunk? Your output says 1.4, but you specified trunk in the version field. By: Jon Creasy (johann8384) 2007-11-15 21:49:22.000-0600 Your right, I am running 1.4 branch. Sorry. By: Tilghman Lesher (tilghman) 2007-11-15 23:19:59.000-0600 Okay, try upgrading to the most current SVN. We've fixed several memory corruption errors over the past 2 weeks. By: Jon Creasy (johann8384) 2007-11-16 01:03:44.000-0600 This issue is not present in the latest version. Sorry. |