[Home]

Summary:ASTERISK-14854: [patch] Crash when freeing buffer in update_curl
Reporter:Atis Lezdins (atis)Labels:
Date Opened:2010-07-06 08:54:53Date Closed:2010-07-29 16:08:13
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Resources/res_config_curl
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) 20100729__issue17590.diff.txt
( 1) bt_res_config_curl.txt
( 2) valgrind.txt
Description:free(buffer) causes crash with signal 6 Aborted.

HTTP message is clearly wrong, as it contains PHP error, but this shouldn't crash asterisk.

       bufsize = 100
       buffer = 0x937c060 "1<br />\n<b>Fatal error</b>:  Call to undefined function ast_sip_prune_rt() in <b>/opt/voip/web/curl_"
       __PRETTY_FUNCTION__ = "update_curl"


****** ADDITIONAL INFORMATION ******

# 5  0x0017dcd0 in free () from /lib/i686/nosegneg/libc.so.6
# 6  0x008c4a02 in update_curl (url=0xb7dd0980 "http://config.domain/curl_config", unused=0xb7dd0880 "sippeers", keyfield=0xf718db "name", lookup=0x9380890 "90024", ap=0xb7dd0ad8 "") at res_config_curl.c:269
# 7  0x080af3da in ast_update_realtime (family=0xf71888 "sippeers", keyfield=0xf718db "name", lookup=0x9380890 "90024") at config.c:2226
# 8  0x00f05951 in realtime_update_peer (peername=0x9380890 "90024", sin=0x9380a0c, defaultuser=0x937eebb "90024", fullcontact=0x937eec1 "sip:90024@192.168.212.208:5060", useragent=0x937eee0 "Linksys/PAP2-3.1.9(LSc)", expirey=3600, deprecated_username=1, lastms=0) at chan_sip.c:4571
# 9  0x00f0620c in update_peer (p=0x9380890, expire=3600) at chan_sip.c:4702
Comments:By: Tilghman Lesher (tilghman) 2010-07-07 11:04:27

We require a complete debug log to help triage the issue.

This document will provide instructions on how to collect debugging logs from an Asterisk machine for the purpose of helping bug marshals troubleshoot an issue:

http://svn.digium.com/svn/asterisk/trunk/doc/valgrind.txt

By: Atis Lezdins (atis) 2010-07-08 10:22:38

I'm still testing to see if it would crash under valgrind, but this could be related:

==20536== Thread 9:
==20536== Invalid write of size 1
==20536==    at 0x8100B4F: pbx_substitute_variables_helper_full (pbx.c:3534)
==20536==    by 0x8100E61: pbx_substitute_variables_helper (pbx.c:3601)
==20536==    by 0x46449C1: update_curl (res_config_curl.c:261)
==20536==    by 0x80AF3D9: ast_update_realtime (config.c:2226)
==20536==    by 0x4B82950: realtime_update_peer (chan_sip.c:4571)
==20536==    by 0x4B8320B: update_peer (chan_sip.c:4702)
==20536==    by 0x4BAAFC8: register_verify (chan_sip.c:13051)
==20536==    by 0x4BD46B5: handle_request_register (chan_sip.c:21509)
==20536==    by 0x4BD5580: handle_incoming (chan_sip.c:21726)
==20536==    by 0x4BD6502: handle_request_do (chan_sip.c:22014)
==20536==    by 0x4BD5DFE: sipsock_read (chan_sip.c:21908)
==20536==    by 0x80E30A8: ast_io_wait (io.c:288)
==20536==  Address 0x4CBCA34 is 0 bytes after a block of size 100 alloc'd
==20536==    at 0x4022525: malloc (vg_replace_malloc.c:149)
==20536==    by 0x81558F4: _ast_malloc (utils.h:439)
==20536==    by 0x46447F9: update_curl (res_config_curl.c:243)
==20536==    by 0x80AF3D9: ast_update_realtime (config.c:2226)
==20536==    by 0x4B82950: realtime_update_peer (chan_sip.c:4571)
==20536==    by 0x4B8320B: update_peer (chan_sip.c:4702)
==20536==    by 0x4BAAFC8: register_verify (chan_sip.c:13051)
==20536==    by 0x4BD46B5: handle_request_register (chan_sip.c:21509)
==20536==    by 0x4BD5580: handle_incoming (chan_sip.c:21726)
==20536==    by 0x4BD6502: handle_request_do (chan_sip.c:22014)
==20536==    by 0x4BD5DFE: sipsock_read (chan_sip.c:21908)
==20536==    by 0x80E30A8: ast_io_wait (io.c:288)
==20536==
==20536== Invalid read of size 1
==20536==    at 0x4023733: rawmemchr (mc_replace_strmem.c:547)
==20536==    by 0x4251F65: _IO_str_init_static_internal (in /lib/libc-2.7.so)
==20536==    by 0x42460A2: vsscanf (in /lib/libc-2.7.so)
==20536==    by 0x4240DAD: sscanf (in /lib/libc-2.7.so)
==20536==    by 0x46449F6: update_curl (res_config_curl.c:267)
==20536==    by 0x80AF3D9: ast_update_realtime (config.c:2226)
==20536==    by 0x4B82950: realtime_update_peer (chan_sip.c:4571)
==20536==    by 0x4B8320B: update_peer (chan_sip.c:4702)
==20536==    by 0x4BAAFC8: register_verify (chan_sip.c:13051)
==20536==    by 0x4BD46B5: handle_request_register (chan_sip.c:21509)
==20536==    by 0x4BD5580: handle_incoming (chan_sip.c:21726)
==20536==    by 0x4BD6502: handle_request_do (chan_sip.c:22014)
==20536==  Address 0x4CBCA34 is 0 bytes after a block of size 100 alloc'd
==20536==    at 0x4022525: malloc (vg_replace_malloc.c:149)
==20536==    by 0x81558F4: _ast_malloc (utils.h:439)
==20536==    by 0x46447F9: update_curl (res_config_curl.c:243)
==20536==    by 0x80AF3D9: ast_update_realtime (config.c:2226)
==20536==    by 0x4B82950: realtime_update_peer (chan_sip.c:4571)
==20536==    by 0x4B8320B: update_peer (chan_sip.c:4702)
==20536==    by 0x4BAAFC8: register_verify (chan_sip.c:13051)
==20536==    by 0x4BD46B5: handle_request_register (chan_sip.c:21509)
==20536==    by 0x4BD5580: handle_incoming (chan_sip.c:21726)
==20536==    by 0x4BD6502: handle_request_do (chan_sip.c:22014)
==20536==    by 0x4BD5DFE: sipsock_read (chan_sip.c:21908)
==20536==    by 0x80E30A8: ast_io_wait (io.c:288)
By: Atis Lezdins (atis) 2010-07-09 05:17:51

Valgrind log attached. It didn't crashed for 20 hours with some random garbage added to HTTP response.
By: Tilghman Lesher (tilghman) 2010-07-29 11:31:09

Okay, WHAT are you returning to the update command that you're exceeding the 100 byte buffer?  You're only supposed to return an integer of how many rows were affected.  That's 12 bytes long, maximum, and it's unlikely you should ever return more than 2 bytes.
By: Digium Subversion (svnbot) 2010-07-29 16:07:02

Repository: asterisk
Revision: 280556

U   branches/1.6.2/res/res_config_curl.c

------------------------------------------------------------------------
r280556 | tilghman | 2010-07-29 16:07:01 -0500 (Thu, 29 Jul 2010) | 7 lines

Off-by-one error

(closes issue ASTERISK-14854)
Reported by: atis
Patches:
      20100729__issue17590.diff.txt uploaded by tilghman (license 14)

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=280556
By: Digium Subversion (svnbot) 2010-07-29 16:08:13

Repository: asterisk
Revision: 280558

_U  branches/1.8/

------------------------------------------------------------------------
r280558 | tilghman | 2010-07-29 16:08:12 -0500 (Thu, 29 Jul 2010) | 13 lines

Blocked revisions 280556 via svnmerge

........
 r280556 | tilghman | 2010-07-29 16:07:03 -0500 (Thu, 29 Jul 2010) | 7 lines
 
 Off-by-one error
 
 (closes issue ASTERISK-14854)
  Reported by: atis
  Patches:
        20100729__issue17590.diff.txt uploaded by tilghman (license 14)
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=280558