Summary: | ASTERISK-11960: [patch] Asterisk crashes when retrieving password from LDAP | ||
Reporter: | W. Michael Petullo (flyn) | Labels: | |
Date Opened: | 2008-05-02 09:25:04 | Date Closed: | 2008-06-19 12:17:13 |
Priority: | Critical | Regression? | No |
Status: | Closed/Complete | Components: | Resources/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) 20080613__bug12572.diff.txt | |
Description: | I have configured Asterisk to use res_ldap for its SIP and extension configuration. Asterisk is crashing when it tries to retrieve a users password from LDAP. 1. Start asterisk in gdb. 2. Execute "asterisk -r -vvv" 3. *CLI> sip show user phone-test load Asterisk crashes and gdb prints the following backtrace: (gdb) ba #0 0x0fe85030 in free () from /lib/libc.so.6 #1 0x00d4a218 in ber_memfree_x () from /usr/lib/liblber-2.4.so.2 #2 0x00d4aab4 in ber_bvfree_x () from /usr/lib/liblber-2.4.so.2 #3 0x00d4aba0 in ber_bvecfree_x () from /usr/lib/liblber-2.4.so.2 #4 0x00d4ac08 in ber_bvecfree () from /usr/lib/liblber-2.4.so.2 ASTERISK-1 0x0f3401f4 in ldap_value_free_len () from /usr/lib/libldap-2.4.so.2 ASTERISK-2 0x0e8b08a0 in realtime_ldap_result_to_vars (table_config=0x10182db8, ldap_result=0x10268f68, entries_count_ptr=0x0) at res_config_ldap.c:329 ASTERISK-3 0x0e8b2bac in realtime_ldap_base_ap (entries_count_ptr=0x0, basedn=<value optimized out>, table_name=0x30a3927c "sip", ap=<value optimized out>) at res_config_ldap.c:814 ASTERISK-4 0x0e8b3570 in realtime_ldap (basedn=<value optimized out>, table_name=<value optimized out>, ap=<value optimized out>) at res_config_ldap.c:903 ASTERISK-5 0x1004d860 in ast_load_realtime_helper (family=0xd5cea00 "sipusers", ap=0x30a39514) at config.c:2036 ASTERISK-6 0x1004dfb0 in ast_load_realtime (family=<value optimized out>) at config.c:2059 ASTERISK-7 0x0d59ee40 in find_user (name=0x1026902e "phone-test", realtime=1) at chan_sip.c:3786 ASTERISK-8 0x0d59efd8 in sip_show_user (e=<value optimized out>, cmd=<value optimized out>, a=0x30a39800) at chan_sip.c:12744 ASTERISK-9 0x1004859c in ast_cli_command (fd=21, s=0x30a3985c "sip show user phone-test load") at cli.c:1888 ASTERISK-10 0x10048840 in ast_cli_command_multiple (fd=21, size=30, s=0x30a39aac "sip show user phone-test load") at cli.c:1921 ASTERISK-11 0x10026b30 in netconsole (vconsole=0x10153650) at asterisk.c:1007 ASTERISK-12 0x100e1e88 in dummy_start (data=<value optimized out>) at utils.c:870 ASTERISK-13 0x0fc76e3c in start_thread () from /lib/libpthread.so.0 ASTERISK-14 0x0fefb670 in clone () from /lib/libc.so.6 Backtrace stopped: previous frame inner to this frame (corrupt stack?) ****** ADDITIONAL INFORMATION ****** I was tracking bug ASTERISK-11593, thinking this was the problem. However, the asterisk ChangeLog says that ASTERISK-11593 was fixed in 1.6.0-beta8, but asterisk is still crashing. I use a PowerPC-based computer and Fedora Rawhide (pre-version 9) Linux: asterisk-1.6.0-0.13.beta8.fc9.ppc asterisk-ldap-1.6.0-0.13.beta8.fc9.ppc openldap-2.4.8-3.fc9.ppc | ||
Comments: | By: W. Michael Petullo (flyn) 2008-05-02 13:31:41 Commenting out both calls to ldap_value_free_len() in res_config_ldap.c makes the crash go away. Obviously, this is not the right solution, but it fixes the crash. By: Gonzalo Servat (gservat) 2008-05-06 13:38:09 Any idea when this will be fixed? By: Tilghman Lesher (tilghman) 2008-05-06 13:51:49 gservat: if you'd like to provide a patch which fixes it, I'd be happy to apply it. By: Gonzalo Servat (gservat) 2008-05-06 14:03:08 Corydon76: I apologize, I didn't mean to sound demanding. I'll see if I can have a go at this tonight, however, I think it is a bit out of my league (I haven't played much with the Asterisk source). At least we know the problem is with the ldap_value_free_len() call. By: W. Michael Petullo (flyn) 2008-06-13 07:16:25 The problem seems to be that two of the pointers in res_config_ldap.c are incremented by five before being freed. Searching for "+= 5" will find two occurrences of this happening in order to advance the pointer past "{md5}." This results in the pointer no longer referencing the proper memory location when passed to ldap_value_free_len. By: Tilghman Lesher (tilghman) 2008-06-13 07:43:34 flyn: aha, that would make sense. Then this patch fixes it? By: W. Michael Petullo (flyn) 2008-06-13 18:51:02 I tried the patch, but still got a segfault with it. I noticed that you moved from using a while loop to a for loop. I also noticed that you left an errant v++ (the v++ should be in the for statement only now). I removed this, but now asterisk crashes with an "illegal instruction" error. This seems to be a new issue because it remains even if I comment out the calls to ldap_value_free_len. Now, here is the strange thing. Assuming I removed the errant "v++" mentioned above, if I add a "printf("foo\n");" to the realtime_ldap_result_to_vars function between: if (strncasecmp(valptr, "{md5}", 5) == 0) { and: valptr += 5; then the "illegal instruction" error goes away and the realtime LDAP driver works. By: Digium Subversion (svnbot) 2008-06-19 12:15:54 Repository: asterisk Revision: 123952 U trunk/res/res_config_ldap.c ------------------------------------------------------------------------ r123952 | tilghman | 2008-06-19 12:15:51 -0500 (Thu, 19 Jun 2008) | 6 lines Don't change pointers that need to be later passed back for deallocation. (closes issue ASTERISK-11960) Reported by: flyn Patches: 20080613__bug12572.diff.txt uploaded by Corydon76 (license 14) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=123952 By: Digium Subversion (svnbot) 2008-06-19 12:17:13 Repository: asterisk Revision: 123958 _U branches/1.6.0/ U branches/1.6.0/res/res_config_ldap.c ------------------------------------------------------------------------ r123958 | tilghman | 2008-06-19 12:17:10 -0500 (Thu, 19 Jun 2008) | 14 lines Merged revisions 123952 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ........ r123952 | tilghman | 2008-06-19 12:22:27 -0500 (Thu, 19 Jun 2008) | 6 lines Don't change pointers that need to be later passed back for deallocation. (closes issue ASTERISK-11960) Reported by: flyn Patches: 20080613__bug12572.diff.txt uploaded by Corydon76 (license 14) ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=123958 |