ASTERISK-11337: segfault, ast_slinfactory_read(), connected with DTMF sending?

[Home]

Summary: ASTERISK-11337: segfault, ast_slinfactory_read(), connected with DTMF sending?

Reporter: Stuart Henderson (stuarth) Labels:

Date Opened: 2008-01-30 05:17:24.000-0600 Date Closed: 2008-01-30 09:39:41.000-0600

Priority: Critical Regression? No

Status: Closed/Complete Components: Core/General

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) slinfactory_read-sthen-20080130.txt

Description: segfault with the included debug log, apparently connected with DTMF sending. looks like it's trying to memcpy out of bounds.

140 frame_data, remain * sizeof(*offset));
(gdb) print remain
$2 = 4294967256

I'll attach a thread apply all bt full.

****** ADDITIONAL INFORMATION ******

[Jan 30 11:02:41] DEBUG[24424] rtp.c: Got RTCP report of 132 bytes
[Jan 30 11:02:41] DEBUG[24424] rtp.c: Got RTCP report of 52 bytes
[Jan 30 11:02:42] DEBUG[24383] rtp.c: Got RTCP report of 52 bytes
[Jan 30 11:02:42] DEBUG[15352] chan_sip.c: Allocating new SIP dialog for (No Call-ID) - OPTIONS (No RTP)
[Jan 30 11:02:42] DEBUG[15352] chan_sip.c: Stopping retransmission on '63b6480204b131f8074f113e15452925@195.xx.xxx.85' of Request 102: Match Not Found
[Jan 30 11:02:42] DEBUG[24387] rtp.c: Got RTCP report of 52 bytes
[Jan 30 11:02:42] DEBUG[24387] rtp.c: Got RTCP report of 132 bytes
[Jan 30 11:02:42] DEBUG[24383] rtp.c: Got RTCP report of 132 bytes
[Jan 30 11:02:43] DEBUG[24397] rtp.c: Sending dtmf: 56 (8), at 213.xxx.x.134
[Jan 30 11:02:43] DEBUG[24398] audiohook.c: Failed to get 160 samples from read factory 0x9fe4b08
[Jan 30 11:02:43] DEBUG[24398] audiohook.c: Failed to get 160 samples from read factory 0x9fe4b08
[Jan 30 11:02:43] DEBUG[24398] audiohook.c: Failed to get 160 samples from read factory 0x9fe4b08
[Jan 30 11:02:43] DEBUG[24398] audiohook.c: Failed to get 160 samples from read factory 0x9fe4b08
[Jan 30 11:02:43] DEBUG[24398] audiohook.c: Failed to get 160 samples from read factory 0x9fe4b08
[Jan 30 11:02:43] DEBUG[24397] rtp.c: Sending dtmf: 56 (8), at 213.xxx.x.134

Comments: By: Stuart Henderson (stuarth) 2008-01-30 05:22:54.000-0600

the "140 frame_data, remain * sizeof(*offset));" was garbled by mantis; should have looked like this

140 memcpy(sf->hold, frame_data, remain * sizeof(*offset));

By: Stuart Henderson (stuarth) 2008-01-30 06:49:24.000-0600

here are the contents of a couple more vars. frame_ptr->samples - ineed == -40 which underflows the uint holding remain.

(gdb) frame 1
#1 0x080f02db in ast_slinfactory_read (sf=0x9fe4b08, buf=0x12460a0, samples=160)
at slinfactory.c:140
140 memcpy(sf->hold, frame_data, remain * sizeof(*offset));
(gdb) print ineed
$1 = 80
(gdb) print samples
$2 = 160
(gdb) print sofar
$3 = 160
(gdb) print frame_data
$4 = (short int *) 0x9827698
(gdb) print frame_ptr
$5 = (struct ast_frame *) 0x9827578
(gdb) print *frame_ptr
$6 = {frametype = AST_FRAME_VOICE, subclass = 64, datalen = 80, samples = 40,
mallocd = 1, mallocd_hdr_len = 218, offset = 64, src = 0x9827648 "alawtolin",
data = 0x98275f8, delivery = {tv_sec = 1201690963, tv_usec = 513600}, frame_list = {
next = 0x0}, flags = 1, ts = 692921, len = 5, seqno = 39963}
By: Digium Subversion (svnbot) 2008-01-30 09:38:13.000-0600

Repository: asterisk
Revision: 101222

U branches/1.4/main/slinfactory.c

------------------------------------------------------------------------
r101222 | file | 2008-01-30 09:38:12 -0600 (Wed, 30 Jan 2008) | 4 lines

Fix an issue where if a frame of higher sample size preceeded a frame of lower sample size and ast_slinfactory_read was called with a sample size of the combined values or higher a crash would happen.
(closes issue ASTERISK-11337)
Reported by: stuarth

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=101222
By: Digium Subversion (svnbot) 2008-01-30 09:39:41.000-0600

Repository: asterisk
Revision: 101223

_U trunk/
U trunk/main/slinfactory.c

------------------------------------------------------------------------
r101223 | file | 2008-01-30 09:39:38 -0600 (Wed, 30 Jan 2008) | 12 lines

Merged revisions 101222 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
r101222 | file | 2008-01-30 11:41:04 -0400 (Wed, 30 Jan 2008) | 4 lines

Fix an issue where if a frame of higher sample size preceeded a frame of lower sample size and ast_slinfactory_read was called with a sample size of the combined values or higher a crash would happen.
(closes issue ASTERISK-11337)
Reported by: stuarth

........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=101223