Summary: | ASTERISK-12576: [patch] asterisk crashes when SPRINTF function has too few arguments | ||
Reporter: | adomjan (adomjan) | Labels: | |
Date Opened: | 2008-08-13 09:47:44 | Date Closed: | 2008-08-15 09:42:38 |
Priority: | Critical | Regression? | No |
Status: | Closed/Complete | Components: | Functions/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) 20080813__bug13299.diff.txt ( 1) func_strings.c-sprintf.patch | |
Description: | reproduce: Set(num=5) Set(string="a%ib%ic%id") NoOP(${SPRINTF("${string}",${num},${num})}) crash: ==27040== ==27040== Thread 30: ==27040== Invalid read of size 1 ==27040== at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so) ==27040== by 0x30F086EE19: _IO_str_init_static_internal (in /lib64/libc-2.5.so) ==27040== by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so) ==27040== by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so) ==27040== by 0xF2C95BA: ??? (func_strings.c:499) ==27040== by 0x49BCCA: ast_func_read (pbx.c:2774) ==27040== by 0x49F6EF: pbx_substitute_variables_helper_full (pbx.c:2908) ==27040== by 0x4A17F6: pbx_extension_helper (pbx.c:3000) ==27040== by 0x4A3C38: __ast_pbx_run (pbx.c:3598) ==27040== by 0x4A4FA8: pbx_thread (pbx.c:3948) ==27040== by 0x4D8C8B: dummy_start (utils.c:917) ==27040== by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so) ==27040== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==27040== ==27040== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==27040== Access not within mapped region at address 0x0 ==27040== at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so) ==27040== by 0x30F086EE19: _IO_str_init_static_internal (in /lib64/libc-2.5.so) ==27040== by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so) ==27040== by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so) ==27040== by 0xF2C95BA: ??? (func_strings.c:499) ==27040== by 0x49BCCA: ast_func_read (pbx.c:2774) ==27040== by 0x49F6EF: pbx_substitute_variables_helper_full (pbx.c:2908) ==27040== by 0x4A17F6: pbx_extension_helper (pbx.c:3000) ==27040== by 0x4A3C38: __ast_pbx_run (pbx.c:3598) ==27040== by 0x4A4FA8: pbx_thread (pbx.c:3948) ==27040== by 0x4D8C8B: dummy_start (utils.c:917) ==27040== by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so) ==27040== | ||
Comments: | By: adomjan (adomjan) 2008-08-14 03:38:51 I found another bug in SPRINTF, in some cases returns longer string than expected: dialplan (ael): i=1; vars="route_%i_skbk,route_%i_name,route_%i_metric"; NoOP(${SPRINTF("${vars}",${i},${i},${i})}); the result: [Aug 14 10:41:33] -- Executing [5238@test-nums:3] Set("SIP/teszt-3622622222-095eada0", "i=1") in new stack [Aug 14 10:41:33] -- Executing [5238@test-nums:4] Set("SIP/teszt-3622622222-095eada0", "vars="route_%i_skbk,route_%i_name,route_%i_metric"") in new stack [Aug 14 10:41:33] -- Executing [5238@test-nums:5] NoOp("SIP/teszt-3622622222-095eada0", "route_1_skbk,route_1_name,route_1_metricv??*") in new stack By: adomjan (adomjan) 2008-08-15 09:03:50 I fixed the missing '\0' string termination, patch uploaded. By: Digium Subversion (svnbot) 2008-08-15 09:42:35 Repository: asterisk Revision: 138023 U branches/1.4/funcs/func_strings.c ------------------------------------------------------------------------ r138023 | tilghman | 2008-08-15 09:42:32 -0500 (Fri, 15 Aug 2008) | 8 lines Additional check for more string specifiers than arguments. (closes issue ASTERISK-12576) Reported by: adomjan Patches: 20080813__bug13299.diff.txt uploaded by Corydon76 (license 14) func_strings.c-sprintf.patch uploaded by adomjan (license 487) Tested by: adomjan ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=138023 |