ASTERISK-10783: When invalid IP address is specified chan

[Home]

Summary: ASTERISK-10783: When invalid IP address is specified chan_iax2 crashes.

Reporter: Jon Creasy (johann8384) Labels:

Date Opened: 2007-11-15 16:56:28.000-0600 Date Closed: 2011-06-07 14:00:52

Priority: Critical Regression? No

Status: Closed/Complete Components: Channels/chan_iax2

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments:

Description: Asterisk SVN-branch-1.4-r80895, Copyright (C) 1999 - 2007 Digium, Inc. and others.
Created by Mark Spencer <markster@digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
Connected to Asterisk SVN-branch-1.4-r80895 currently running on lindberg (pid = 9901)
-- Remote UNIX connection
Verbosity is at least 3
lindberg*CLI> *** glibc detected *** double free or corruption (fasttop): 0x0847b7c0 ***
[Nov 15 22:20:53] WARNING[9916]: acl.c:245 ast_get_ip_or_srv: Unable to lookup '99.266.131.41'
lindberg*CLI> /usr/sbin/safe_asterisk: line 60: 9901 Aborted (core dumped) nice -n $PRIORITY asterisk ${CLIARGS} ${ASTARGS} >&/dev/${TTY} </dev/${TTY}

Disconnected from Asterisk server
Asterisk ended with exit status 134
Asterisk exited on signal 6.
Automatically restarting Asterisk.
root@lindberg:~#

****** ADDITIONAL INFORMATION ******

(gdb) backtrace
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7b109a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7b122b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#3 0xb7b4487a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6
#4 0xb7b4afd4 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6
ASTERISK-1 0xb7b4b34a in free () from /lib/tls/i686/cmov/libc.so.6
ASTERISK-2 0x0815607a in peer_destructor (obj=0x846c000) at chan_iax2.c:8910
ASTERISK-3 0x08071eab in ao2_ref (user_data=0x4b, delta=-1) at astobj2.c:173
ASTERISK-4 0x0814d7c3 in build_peer (name=<value optimized out>, v=0x8464440, alt=0x0, temponly=0) at chan_iax2.c:1135
ASTERISK-5 0x0815ae76 in realtime_peer (peername=0x8464385 "skytelnet17", sin=0x0) at chan_iax2.c:2694
ASTERISK-6 0x08159d05 in find_callno (callno=5, dcallno=0, sin=0xb7704330, new=1, sockfd=0) at chan_iax2.c:1170
ASTERISK-7 0x0815f072 in socket_process (thread=0x8458d70) at chan_iax2.c:6866
ASTERISK-8 0x08167afa in iax2_process_thread (data=0x8458d70) at chan_iax2.c:8248
ASTERISK-9 0x080f7150 in dummy_start (data=0x0) at utils.c:775
ASTERISK-10 0xb7f32341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
ASTERISK-11 0xb7bb14ee in clone () from /lib/tls/i686/cmov/libc.so.6
(gdb) backtrace full
#0 0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7b109a1 in raise () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#2 0xb7b122b9 in abort () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#3 0xb7b4487a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#4 0xb7b4afd4 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
ASTERISK-1 0xb7b4b34a in free () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
ASTERISK-2 0x0815607a in peer_destructor (obj=0x846c000) at chan_iax2.c:8910
this = (struct ast_string_field_pool *) 0x0
prev = (struct ast_string_field_pool *) 0xb7c12adc
peer = <value optimized out>
ASTERISK-3 0x08071eab in ao2_ref (user_data=0x4b, delta=-1) at astobj2.c:173
current_value = <value optimized out>
ret = 20
obj = (struct astobj2 *) 0x846bfd8
__PRETTY_FUNCTION__ = "ao2_ref"
ASTERISK-4 0x0814d7c3 in build_peer (name=<value optimized out>, v=0x8464440, alt=0x0, temponly=0) at chan_iax2.c:1135
__zz__ = <value optimized out>
peer = (struct iax2_peer *) 0x846c000
oldha = (struct ast_ha *) 0x0
maskfound = 0
found = 0
tmp_peer = {__begin_field = 0xb77019b0, name = 0x8464385 "skytelnet17", username = 0x0, secret = 0x0, dbsecret = 0x0, outkey = 0x0, regexten = 0x0, context = 0x0, peercontext = 0x0, mailbox = 0x0,
mohinterpret = 0x0, mohsuggest = 0x0, inkeys = 0x0, cid_num = 0x0, cid_name = 0x0, zonetag = 0x0, __end_field = 0xb77019ec, __field_mgr = {pool = 0x0, size = 0, space = 0, used = 0}, prefs = {
order = '\0' <repeats 31 times>, framing = '\0' <repeats 31 times>}, dnsmgr = 0x0, addr = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"},
formats = 0, sockfd = 0, mask = {s_addr = 0}, adsi = 0, flags = 0, defaddr = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, authmethods = 0,
encmethods = 0, expire = 0, expiry = 0, capability = 0, callno = 0, pokeexpire = 0, lastms = 0, maxms = 0, pokefreqok = 0, pokefreqnotok = 0, historicms = 0, smoothing = 0, ha = 0x0}
__PRETTY_FUNCTION__ = "build_peer"
ASTERISK-5 0x0815ae76 in realtime_peer (peername=0x8464385 "skytelnet17", sin=0x0) at chan_iax2.c:2694
var = (struct ast_variable *) 0x846c520
tmp = (struct ast_variable *) 0x0
peer = <value optimized out>
regseconds = 0
nowtime = <value optimized out>
dynamic = <value optimized out>
__PRETTY_FUNCTION__ = "realtime_peer"
ASTERISK-6 0x08159d05 in find_callno (callno=5, dcallno=0, sin=0xb7704330, new=1, sockfd=0) at chan_iax2.c:1170
res = 0
x = <value optimized out>
now = {tv_sec = -1217389272, tv_usec = 1}
host = "°\220À·è\000\000\000P\023G\b", '\0' <repeats 16 times>, "Ü*Á· CÁ·@\016G\bÈ\034p·J³´· CÁ·@\016G\b\000\000\000\000@\016G\b\n\000\000\000(\035p·n]\025\b@\016G\b"
__PRETTY_FUNCTION__ = "find_callno"
ASTERISK-7 0x0815f072 in socket_process (thread=0x8458d70) at chan_iax2.c:6866
metatype = <value optimized out>
sin = {sin_family = 2, sin_port = 55569, sin_addr = {s_addr = 696493667}, sin_zero = "\000\000\000\000\000\000\000"}
res = 12
updatehistory = <value optimized out>
new = <value optimized out>
ptr = <value optimized out>
dcallno = 6
fh = (struct ast_iax2_full_hdr *) 0x8458df0
cur = <value optimized out>
f = {frametype = AST_FRAME_IAX, subclass = 30, datalen = 0, samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0, src = 0x0, data = 0x0, delivery = {tv_sec = 0, tv_usec = 0}, frame_list = {
next = 0x0}, has_timing_info = 0, ts = 0, len = 0, seqno = 0}
c = <value optimized out>
dp = <value optimized out>
---Type <return> to continue, or q <return> to quit---
tpeer = <value optimized out>
ies = {called_number = 0x0, calling_number = 0x0, calling_ani = 0x0, calling_name = 0x0, calling_ton = -1, calling_tns = -1, calling_pres = -1, called_context = 0x0,
username = 0x8458dfe "+14439924010", password = 0x0, capability = 0, format = 0, codec_prefs = 0x0, language = 0x0, version = 0, adsicpe = 0, dnid = 0x0, rdnis = 0x0, authmethods = 0, encmethods = 0,
challenge = 0x0, md5_result = 0x0, rsa_result = 0x0, apparent_addr = 0x0, refresh = 60, dpstatus = 0, callno = 0, cause = 0x0, causecode = 0 '\0', iax_unknown = 0 '\0', msgcount = -1, autoanswer = 0,
musiconhold = 0, transferid = 0, datetime = 0, devicetype = 0x0, serviceident = 0x0, firmwarever = -1, fwdesc = 0, fwdata = 0x0, fwdatalen = 0 '\0', enckey = 0x0, enckeylen = 0 '\0', provver = 0,
samprate = 1, provverpres = 0, rr_jitter = 0, rr_loss = 0, rr_pkts = 0, rr_delay = 0, rr_dropped = 0, rr_ooo = 0}
ied0 = {buf = '\0' <repeats 1023 times>, pos = 0}
ied1 = {buf = '\0' <repeats 1023 times>, pos = 0}
format = <value optimized out>
fd = 14
exists = <value optimized out>
minivid = 0
empty = '\0' <repeats 31 times>
duped_fr = <value optimized out>
host_pref_buf = '\0' <repeats 127 times>
caller_pref_buf = '\0' <repeats 127 times>
pref = {order = '\0' <repeats 31 times>, framing = '\0' <repeats 16 times>, "dª´·", '\0' <repeats 11 times>}
using_prefs = <value optimized out>
__PRETTY_FUNCTION__ = "socket_process"
ASTERISK-8 0x08167afa in iax2_process_thread (data=0x8458d70) at chan_iax2.c:8248
curelm = <value optimized out>
__res = (struct iax2_thread *) 0x1
_buffer = {__routine = 0x814fb80 <iax2_process_thread_cleanup>, __arg = 0x8458d70, __canceltype = 136854760, __prev = 0xb770442c}
thread = (struct iax2_thread *) 0x0
ts = {tv_sec = -1212894390, tv_nsec = -1212071136}
put_into_idle = 1
ASTERISK-9 0x080f7150 in dummy_start (data=0x0) at utils.c:775
_buffer = {__routine = 0x806bda0 <ast_unregister_thread>, __arg = 0xb7704bb0, __canceltype = 0, __prev = 0x0}
ret = <value optimized out>
ASTERISK-10 0xb7f32341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
ASTERISK-11 0xb7bb14ee in clone () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
(gdb)

Comments: By: Jon Creasy (johann8384) 2007-11-15 16:56:53.000-0600

We'll try to submit a patch assuming this isn't fixed in the latest version. We'll check that also.
By: Jason Parker (jparker) 2007-11-15 17:08:50.000-0600

Where does the invalid IP need to be specified for this to happen? Config file?
By: Tilghman Lesher (tilghman) 2007-11-15 18:10:24.000-0600

Can you replicate this as of revision 89312 or later? I made a logic fix, and I suspect that's the fix for this, but I can't be sure.
By: Jon Creasy (johann8384) 2007-11-15 20:00:24.000-0600

I'll setup in the lab to replicate it. We are planning to get together tonight and knock out a fix for this, it leaves us in a really bad spot because it is so easy to do. We specified this IP in the host field in the table being used by the realtime config. I did an IAX2 reload and it crashed.

I'll recreate it in the latest trunk and we'll get a patch done tonight if you haven't already gotten it.
By: Tilghman Lesher (tilghman) 2007-11-15 21:47:51.000-0600

Wait... are you running 1.4 or trunk? Your output says 1.4, but you specified trunk in the version field.
By: Jon Creasy (johann8384) 2007-11-15 21:49:22.000-0600

Your right, I am running 1.4 branch. Sorry.
By: Tilghman Lesher (tilghman) 2007-11-15 23:19:59.000-0600

Okay, try upgrading to the most current SVN. We've fixed several memory corruption errors over the past 2 weeks.
By: Jon Creasy (johann8384) 2007-11-16 01:03:44.000-0600

This issue is not present in the latest version.

Sorry.