Summary:ASTERISK-11960: [patch] Asterisk crashes when retrieving password from LDAP
Reporter:W. Michael Petullo (flyn)Labels:
Date Opened:2008-05-02 09:25:04Date Closed:2008-06-19 12:17:13
Versions:Frequency of
Environment:Attachments:( 0) 20080613__bug12572.diff.txt
Description:I have configured Asterisk to use res_ldap for its SIP and extension configuration. Asterisk is crashing when it tries to retrieve a users password from LDAP.

1. Start asterisk in gdb.
2. Execute "asterisk -r -vvv"
3. *CLI> sip show user phone-test load

Asterisk crashes and gdb prints the following backtrace:

(gdb) ba
#0  0x0fe85030 in free () from /lib/libc.so.6
#1  0x00d4a218 in ber_memfree_x () from /usr/lib/liblber-2.4.so.2
#2  0x00d4aab4 in ber_bvfree_x () from /usr/lib/liblber-2.4.so.2
#3  0x00d4aba0 in ber_bvecfree_x () from /usr/lib/liblber-2.4.so.2
#4  0x00d4ac08 in ber_bvecfree () from /usr/lib/liblber-2.4.so.2
ASTERISK-1  0x0f3401f4 in ldap_value_free_len () from /usr/lib/libldap-2.4.so.2
ASTERISK-2  0x0e8b08a0 in realtime_ldap_result_to_vars (table_config=0x10182db8, ldap_result=0x10268f68,
   entries_count_ptr=0x0) at res_config_ldap.c:329
ASTERISK-3  0x0e8b2bac in realtime_ldap_base_ap (entries_count_ptr=0x0, basedn=<value optimized out>,
   table_name=0x30a3927c "sip", ap=<value optimized out>) at res_config_ldap.c:814
ASTERISK-4  0x0e8b3570 in realtime_ldap (basedn=<value optimized out>, table_name=<value optimized out>,
   ap=<value optimized out>) at res_config_ldap.c:903
ASTERISK-5  0x1004d860 in ast_load_realtime_helper (family=0xd5cea00 "sipusers", ap=0x30a39514)
   at config.c:2036
ASTERISK-6 0x1004dfb0 in ast_load_realtime (family=<value optimized out>) at config.c:2059
ASTERISK-7 0x0d59ee40 in find_user (name=0x1026902e "phone-test", realtime=1) at chan_sip.c:3786
ASTERISK-8 0x0d59efd8 in sip_show_user (e=<value optimized out>, cmd=<value optimized out>, a=0x30a39800)
   at chan_sip.c:12744
ASTERISK-9 0x1004859c in ast_cli_command (fd=21, s=0x30a3985c "sip show user phone-test load")
   at cli.c:1888
ASTERISK-10 0x10048840 in ast_cli_command_multiple (fd=21, size=30,
   s=0x30a39aac "sip show user phone-test load") at cli.c:1921
ASTERISK-11 0x10026b30 in netconsole (vconsole=0x10153650) at asterisk.c:1007
ASTERISK-12 0x100e1e88 in dummy_start (data=<value optimized out>) at utils.c:870
ASTERISK-13 0x0fc76e3c in start_thread () from /lib/libpthread.so.0
ASTERISK-14 0x0fefb670 in clone () from /lib/libc.so.6
Backtrace stopped: previous frame inner to this frame (corrupt stack?)


I was tracking bug ASTERISK-11593, thinking this was the problem. However, the asterisk ChangeLog says that ASTERISK-11593 was fixed in 1.6.0-beta8, but asterisk is still crashing.

I use a PowerPC-based computer and Fedora Rawhide (pre-version 9) Linux:

Comments:By: W. Michael Petullo (flyn) 2008-05-02 13:31:41

Commenting out both calls to ldap_value_free_len() in res_config_ldap.c makes the crash go away. Obviously, this is not the right solution, but it fixes the crash.

By: Gonzalo Servat (gservat) 2008-05-06 13:38:09

Any idea when this will be fixed?

By: Tilghman Lesher (tilghman) 2008-05-06 13:51:49

gservat:  if you'd like to provide a patch which fixes it, I'd be happy to apply it.

By: Gonzalo Servat (gservat) 2008-05-06 14:03:08

Corydon76: I apologize, I didn't mean to sound demanding. I'll see if I can have a go at this tonight, however, I think it is a bit out of my league (I haven't played much with the Asterisk source). At least we know the problem is with the ldap_value_free_len() call.

By: W. Michael Petullo (flyn) 2008-06-13 07:16:25

The problem seems to be that two of the pointers in res_config_ldap.c are incremented by five before being freed. Searching for "+= 5" will find two occurrences of this happening in order to advance the pointer past "{md5}." This results in the pointer no longer referencing the proper memory location when passed to ldap_value_free_len.

By: Tilghman Lesher (tilghman) 2008-06-13 07:43:34

flyn:  aha, that would make sense.  Then this patch fixes it?

By: W. Michael Petullo (flyn) 2008-06-13 18:51:02

I tried the patch, but still got a segfault with it.

I noticed that you moved from using a while loop to a for loop. I also noticed that you left an errant v++ (the v++ should be in the for statement only now). I removed this, but now asterisk crashes with an "illegal instruction" error. This seems to be a new issue because it remains even if I comment out the calls to ldap_value_free_len.

Now, here is the strange thing. Assuming I removed the errant "v++" mentioned above, if I add a "printf("foo\n");" to the realtime_ldap_result_to_vars function between:

if (strncasecmp(valptr, "{md5}", 5) == 0) {


valptr += 5;

then the "illegal instruction" error goes away and the realtime LDAP driver works.

By: Digium Subversion (svnbot) 2008-06-19 12:15:54

Repository: asterisk
Revision: 123952

U   trunk/res/res_config_ldap.c

r123952 | tilghman | 2008-06-19 12:15:51 -0500 (Thu, 19 Jun 2008) | 6 lines

Don't change pointers that need to be later passed back for deallocation.
(closes issue ASTERISK-11960)
Reported by: flyn
      20080613__bug12572.diff.txt uploaded by Corydon76 (license 14)



By: Digium Subversion (svnbot) 2008-06-19 12:17:13

Repository: asterisk
Revision: 123958

_U  branches/1.6.0/
U   branches/1.6.0/res/res_config_ldap.c

r123958 | tilghman | 2008-06-19 12:17:10 -0500 (Thu, 19 Jun 2008) | 14 lines

Merged revisions 123952 via svnmerge from

r123952 | tilghman | 2008-06-19 12:22:27 -0500 (Thu, 19 Jun 2008) | 6 lines

Don't change pointers that need to be later passed back for deallocation.
(closes issue ASTERISK-11960)
Reported by: flyn
      20080613__bug12572.diff.txt uploaded by Corydon76 (license 14)