Summary: | ASTERISK-14854: [patch] Crash when freeing buffer in update_curl | ||
Reporter: | Atis Lezdins (atis) | Labels: | |
Date Opened: | 2010-07-06 08:54:53 | Date Closed: | 2010-07-29 16:08:13 |
Priority: | Critical | Regression? | No |
Status: | Closed/Complete | Components: | Resources/res_config_curl |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) 20100729__issue17590.diff.txt ( 1) bt_res_config_curl.txt ( 2) valgrind.txt | |
Description: | free(buffer) causes crash with signal 6 Aborted. HTTP message is clearly wrong, as it contains PHP error, but this shouldn't crash asterisk. bufsize = 100 buffer = 0x937c060 "1<br />\n<b>Fatal error</b>: Call to undefined function ast_sip_prune_rt() in <b>/opt/voip/web/curl_" __PRETTY_FUNCTION__ = "update_curl" ****** ADDITIONAL INFORMATION ****** # 5 0x0017dcd0 in free () from /lib/i686/nosegneg/libc.so.6 # 6 0x008c4a02 in update_curl (url=0xb7dd0980 "http://config.domain/curl_config", unused=0xb7dd0880 "sippeers", keyfield=0xf718db "name", lookup=0x9380890 "90024", ap=0xb7dd0ad8 "") at res_config_curl.c:269 # 7 0x080af3da in ast_update_realtime (family=0xf71888 "sippeers", keyfield=0xf718db "name", lookup=0x9380890 "90024") at config.c:2226 # 8 0x00f05951 in realtime_update_peer (peername=0x9380890 "90024", sin=0x9380a0c, defaultuser=0x937eebb "90024", fullcontact=0x937eec1 "sip:90024@192.168.212.208:5060", useragent=0x937eee0 "Linksys/PAP2-3.1.9(LSc)", expirey=3600, deprecated_username=1, lastms=0) at chan_sip.c:4571 # 9 0x00f0620c in update_peer (p=0x9380890, expire=3600) at chan_sip.c:4702 | ||
Comments: | By: Tilghman Lesher (tilghman) 2010-07-07 11:04:27 We require a complete debug log to help triage the issue. This document will provide instructions on how to collect debugging logs from an Asterisk machine for the purpose of helping bug marshals troubleshoot an issue: http://svn.digium.com/svn/asterisk/trunk/doc/valgrind.txt By: Atis Lezdins (atis) 2010-07-08 10:22:38 I'm still testing to see if it would crash under valgrind, but this could be related: ==20536== Thread 9: ==20536== Invalid write of size 1 ==20536== at 0x8100B4F: pbx_substitute_variables_helper_full (pbx.c:3534) ==20536== by 0x8100E61: pbx_substitute_variables_helper (pbx.c:3601) ==20536== by 0x46449C1: update_curl (res_config_curl.c:261) ==20536== by 0x80AF3D9: ast_update_realtime (config.c:2226) ==20536== by 0x4B82950: realtime_update_peer (chan_sip.c:4571) ==20536== by 0x4B8320B: update_peer (chan_sip.c:4702) ==20536== by 0x4BAAFC8: register_verify (chan_sip.c:13051) ==20536== by 0x4BD46B5: handle_request_register (chan_sip.c:21509) ==20536== by 0x4BD5580: handle_incoming (chan_sip.c:21726) ==20536== by 0x4BD6502: handle_request_do (chan_sip.c:22014) ==20536== by 0x4BD5DFE: sipsock_read (chan_sip.c:21908) ==20536== by 0x80E30A8: ast_io_wait (io.c:288) ==20536== Address 0x4CBCA34 is 0 bytes after a block of size 100 alloc'd ==20536== at 0x4022525: malloc (vg_replace_malloc.c:149) ==20536== by 0x81558F4: _ast_malloc (utils.h:439) ==20536== by 0x46447F9: update_curl (res_config_curl.c:243) ==20536== by 0x80AF3D9: ast_update_realtime (config.c:2226) ==20536== by 0x4B82950: realtime_update_peer (chan_sip.c:4571) ==20536== by 0x4B8320B: update_peer (chan_sip.c:4702) ==20536== by 0x4BAAFC8: register_verify (chan_sip.c:13051) ==20536== by 0x4BD46B5: handle_request_register (chan_sip.c:21509) ==20536== by 0x4BD5580: handle_incoming (chan_sip.c:21726) ==20536== by 0x4BD6502: handle_request_do (chan_sip.c:22014) ==20536== by 0x4BD5DFE: sipsock_read (chan_sip.c:21908) ==20536== by 0x80E30A8: ast_io_wait (io.c:288) ==20536== ==20536== Invalid read of size 1 ==20536== at 0x4023733: rawmemchr (mc_replace_strmem.c:547) ==20536== by 0x4251F65: _IO_str_init_static_internal (in /lib/libc-2.7.so) ==20536== by 0x42460A2: vsscanf (in /lib/libc-2.7.so) ==20536== by 0x4240DAD: sscanf (in /lib/libc-2.7.so) ==20536== by 0x46449F6: update_curl (res_config_curl.c:267) ==20536== by 0x80AF3D9: ast_update_realtime (config.c:2226) ==20536== by 0x4B82950: realtime_update_peer (chan_sip.c:4571) ==20536== by 0x4B8320B: update_peer (chan_sip.c:4702) ==20536== by 0x4BAAFC8: register_verify (chan_sip.c:13051) ==20536== by 0x4BD46B5: handle_request_register (chan_sip.c:21509) ==20536== by 0x4BD5580: handle_incoming (chan_sip.c:21726) ==20536== by 0x4BD6502: handle_request_do (chan_sip.c:22014) ==20536== Address 0x4CBCA34 is 0 bytes after a block of size 100 alloc'd ==20536== at 0x4022525: malloc (vg_replace_malloc.c:149) ==20536== by 0x81558F4: _ast_malloc (utils.h:439) ==20536== by 0x46447F9: update_curl (res_config_curl.c:243) ==20536== by 0x80AF3D9: ast_update_realtime (config.c:2226) ==20536== by 0x4B82950: realtime_update_peer (chan_sip.c:4571) ==20536== by 0x4B8320B: update_peer (chan_sip.c:4702) ==20536== by 0x4BAAFC8: register_verify (chan_sip.c:13051) ==20536== by 0x4BD46B5: handle_request_register (chan_sip.c:21509) ==20536== by 0x4BD5580: handle_incoming (chan_sip.c:21726) ==20536== by 0x4BD6502: handle_request_do (chan_sip.c:22014) ==20536== by 0x4BD5DFE: sipsock_read (chan_sip.c:21908) ==20536== by 0x80E30A8: ast_io_wait (io.c:288) By: Atis Lezdins (atis) 2010-07-09 05:17:51 Valgrind log attached. It didn't crashed for 20 hours with some random garbage added to HTTP response. By: Tilghman Lesher (tilghman) 2010-07-29 11:31:09 Okay, WHAT are you returning to the update command that you're exceeding the 100 byte buffer? You're only supposed to return an integer of how many rows were affected. That's 12 bytes long, maximum, and it's unlikely you should ever return more than 2 bytes. By: Digium Subversion (svnbot) 2010-07-29 16:07:02 Repository: asterisk Revision: 280556 U branches/1.6.2/res/res_config_curl.c ------------------------------------------------------------------------ r280556 | tilghman | 2010-07-29 16:07:01 -0500 (Thu, 29 Jul 2010) | 7 lines Off-by-one error (closes issue ASTERISK-14854) Reported by: atis Patches: 20100729__issue17590.diff.txt uploaded by tilghman (license 14) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=280556 By: Digium Subversion (svnbot) 2010-07-29 16:08:13 Repository: asterisk Revision: 280558 _U branches/1.8/ ------------------------------------------------------------------------ r280558 | tilghman | 2010-07-29 16:08:12 -0500 (Thu, 29 Jul 2010) | 13 lines Blocked revisions 280556 via svnmerge ........ r280556 | tilghman | 2010-07-29 16:07:03 -0500 (Thu, 29 Jul 2010) | 7 lines Off-by-one error (closes issue ASTERISK-14854) Reported by: atis Patches: 20100729__issue17590.diff.txt uploaded by tilghman (license 14) ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=280558 |