[Home]

Summary:ASTERISK-15997: [patch] Segmentation fault with unanswered inbound call via chan_ooh323
Reporter:jin (jin)Labels:
Date Opened:2010-04-21 16:39:21Date Closed:2010-06-21 09:07:04
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Addons/chan_ooh323
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) 1-ooh323-normal-hangup.txt
( 1) 2-asterisk-normal-hangup.txt
( 2) 3-ooh323-crash-hangup.txt
( 3) 4-asterisk-crash-hangup.txt
( 4) 5-asterisk-crash-gdb-backtrace.txt
( 5) 6-asterisk-crash-gdb-backtrace.txt
( 6) bug17227.patch
Description:If i configure a sip phone to hangup a call after 30 seconds of ring time from a inbound call, the chan_ooh323 module crash and asterisk segfault... tested using grandstream gxw-4024 gateway and linksys spa921 phone.

attached 4 logs:

the phone is configured to hangup after 60 seconds:
1-ooh323-normal-hangup.txt
2-asterisk-normal-hangup.txt

the phone is configured to hangup after 30 seconds:
3-ooh323-crash-hangup.txt
4-asterisk-crash-hangup.txt

asterisk seem to crash only when the cause of hangup is:
22:01:35:395  Cleaning Call (incoming, ooh323c_2)- reason:OO_REASON_LOCAL_CONGESTED

if the cause of hangup is the following, asterisk doesn't crash:
21:57:45:129  Cleaning Call (incoming, ooh323c_1)- reason:OO_REASON_REMOTE_CLEARED

so, if the phone doesn't hangup the call before 60 seconds of ring time, asterisk doesn't crash.

actual work around: configure all phones to hangup after 60 secs of rings

outgoing calls doesn't have any problems.


****** ADDITIONAL INFORMATION ******

this bug is verified using asterisk 1.6.2.6 rpms from digium centos reposistory, tested also i386 and x86_64 versions and made self compiled srpms too.

operating system:
Linux pbx3.xxxxx.lan 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:30:06 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

ooh323 configuration:
Objective Open H.323 Channel Driver's Config:
IP:Port:            192.168.6.10:1720
FastStart           yes
Tunneling           yes
CallerId            9094
MediaWaitForConnect yes
Gatekeeper:         10.22.33.44
H.323 LogFile:      /var/log/asterisk/h323_log
Context:            from-trunk
Capability:         0x4 (ulaw)
DTMF Mode:          rfc2833
AccountCode:        ast_h323
AMA flags:          Unknown
Aliases:            
12345678250                   9094
Comments:By: Alexander Anikin (may213) 2010-04-22 17:59:35

Hi,

there are few things.
Asterisk crash after hangup h323 channel initiated from local side of asterisk, this crash don't have relation to SIP things.
It's possible that asterisk crash after hangup with congestion.

You can do test. I see you use FreePBX or like environment, so please set dialing timeout to 30 sec in sip extension config in asterisk then try to call it from h323 and wait for hangup. H323 Call must hangup without congestion but from local side. If asterisk will not crash then reason is in congestion and if it will crash reason is in local side hangup.

Also please attach gdb backtrace log from asterisk core after crash.
By: jin (jin) 2010-04-23 10:35:25

Hi,

i confirm that the this crash happend only on "Everyone is busy/congested at this time" message, if asterisk after 30 secs of ringing terminate the call, asterisk doesn't crash.
So the bug is not in the local side hangup.

attached gdb backtrace.

Best regards and many thanks for looking up in this bug
By: jin (jin) 2010-04-28 17:07:22

Today I tested ooh323 of asterisk-addons-1.4.11 and asterisk-1.4.30, and the crash doesn't happens, so this bug is related to asterisk 1.6.x (tested 1.6.0 and 1.6.1 branches) only.

Best regards
By: jin (jin) 2010-05-13 04:08:38

any news about this bug? do you need other infos?

best regards
By: Alexander Anikin (may213) 2010-05-23 13:19:34

Hi,

I can't seek any troubles in ooh323 codes related to this bug. Can you recompile 1.6 version with MALLOC_DEBUG flags and see on /var/log/asterisk/mmlog messages?
And can you test with trunk version?
By: jin (jin) 2010-06-01 12:36:34

Just recompiled asterisk 1.6.2.7 and asterisk addons-1.6.2.1 with the following compile flags

MENUSELECT_CFLAGS=DONT_OPTIMIZE DEBUG_THREADS LOADABLE_MODULES MALLOC_DEBUG

attached the new backstrace 6-asterisk-crash-gdb-backtrace.txt

into /var/log/asterisk/mmlog I see only:

1275413189 - New session
1275413251 - New session

first possible I'try the trunk version of asterisk and asterisk-addons, however the backtrace now is more verbose:

Core was generated by `/usr/sbin/asterisk -f -vvvg -c'.
Program terminated with signal 11, Segmentation fault.
#0  0x00002aaab2294c06 in asn1PD_H225CryptoH323Token_cryptoGKPwdHash () from /usr/lib/asterisk/modules/chan_ooh323.so
(gdb) bt
#0  0x00002aaab2294c06 in asn1PD_H225CryptoH323Token_cryptoGKPwdHash () from /usr/lib/asterisk/modules/chan_ooh323.so
#1  0x00002aaab2297ca8 in ?? () from /usr/lib/asterisk/modules/chan_ooh323.so
#2  0x000000000046a6e9 in __ast_read (chan=0x1c5fbcb8, dropaudio=0) at channel.c:2802
#3  0x000000000046c1e8 in ast_read (chan=0x1c5fbcb8) at channel.c:3102
#4  0x0000000000465f79 in ast_safe_sleep_conditional (chan=0x1c5fbcb8, ms=3, cond=0, data=0x0) at channel.c:1349
ASTERISK-1  0x0000000000465fdf in ast_safe_sleep (chan=0x1c5fbcb8, ms=10000) at channel.c:1369
ASTERISK-2  0x0000000000509a23 in wait_for_hangup (chan=0x1c5fbcb8, data=0x405381d0) at pbx.c:8433
ASTERISK-3  0x0000000000509b7d in pbx_builtin_congestion (chan=0x1c5fbcb8, data=0x405381d0) at pbx.c:8497
ASTERISK-4  0x00000000004ef04f in pbx_exec (c=0x1c5fbcb8, app=0x1c470ca8, data=0x405381d0) at pbx.c:1348
ASTERISK-5  0x00000000004f90a8 in pbx_extension_helper (c=0x1c5fbcb8, con=0x0, context=0x1c5fcc30 "macro-exten-vm", exten=0x1c5fcc80 "s-CONGESTION", priority=4, label=0x0, callerid=0x1c5679d8 "0575250438",
   action=E_SPAWN, found=0x4053abf4, combined_find_spawn=1) at pbx.c:3711
ASTERISK-6 0x00000000004fa894 in ast_spawn_extension (c=0x1c5fbcb8, context=0x1c5fcc30 "macro-exten-vm", exten=0x1c5fcc80 "s-CONGESTION", priority=4, callerid=0x1c5679d8 "0575250438", found=0x4053abf4,
   combined_find_spawn=1) at pbx.c:4170
ASTERISK-7 0x00002aaac96b7c8e in _macro_exec (chan=0x1c5fbcb8, data=0x4053d8a0, exclusive=0) at app_macro.c:398
ASTERISK-8 0x00002aaac96b9804 in macro_exec (chan=0x1c5fbcb8, data=0x4053d8a0) at app_macro.c:561
ASTERISK-9 0x00000000004ef04f in pbx_exec (c=0x1c5fbcb8, app=0x1c394398, data=0x4053d8a0) at pbx.c:1348
ASTERISK-10 0x00000000004f90a8 in pbx_extension_helper (c=0x1c5fbcb8, con=0x0, context=0x1c5fcc30 "macro-exten-vm", exten=0x1c5fcc80 "s-CONGESTION", priority=1, label=0x0, callerid=0x1c5679d8 "0575250438",
   action=E_SPAWN, found=0x4053ffa4, combined_find_spawn=1) at pbx.c:3711
ASTERISK-11 0x00000000004fa894 in ast_spawn_extension (c=0x1c5fbcb8, context=0x1c5fcc30 "macro-exten-vm", exten=0x1c5fcc80 "s-CONGESTION", priority=1, callerid=0x1c5679d8 "0575250438", found=0x4053ffa4,
   combined_find_spawn=1) at pbx.c:4170
ASTERISK-12 0x00000000004fb03c in __ast_pbx_run (c=0x1c5fbcb8, args=0x0) at pbx.c:4264
ASTERISK-13 0x00000000004fc63c in pbx_thread (data=0x1c5fbcb8) at pbx.c:4551
ASTERISK-14 0x000000000056160a in dummy_start (data=0x1c56ba88) at utils.c:968
ASTERISK-15 0x000000328920673d in start_thread () from /lib64/libpthread.so.0
ASTERISK-16 0x00000032886d3d1d in clone () from /lib64/libc.so.6

Best regards
By: Alexander Anikin (may213) 2010-06-06 15:03:52

Hi,

please try attached patch, i think it'll solve trouble.
By: jin (jin) 2010-06-07 04:04:42

Great! I've done many calls and asterisk never crashed!

please include the patch upstream.

Thank you very much!

Best regards
By: Digium Subversion (svnbot) 2010-06-07 15:12:54

Repository: asterisk-addons
Revision: 1115

U   branches/1.6.0/channels/chan_ooh323.c

------------------------------------------------------------------------
r1115 | may | 2010-06-07 15:12:53 -0500 (Mon, 07 Jun 2010) | 13 lines

don't read rtp data from channel without private structure

In some cases asterisk channel can exist but on protocol stack side channel can
be closed and we must return null frame in reading data functions
instead of reading data from destroyed channel

(issue ASTERISK-15997)
Reported by: jin
Patches:
     bug17227.patch uploaded by may213 (license 454)
Tested by: jin


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk-addons?view=rev&revision=1115
By: Digium Subversion (svnbot) 2010-06-07 15:14:10

Repository: asterisk-addons
Revision: 1116

U   branches/1.6.1/channels/chan_ooh323.c

------------------------------------------------------------------------
r1116 | may | 2010-06-07 15:14:10 -0500 (Mon, 07 Jun 2010) | 14 lines

don't read rtp data from channel without private structure

In some cases asterisk channel can exist but on protocol stack side
channel can
be closed and we must return null frame in reading data functions
instead of reading data from destroyed channel

(issue ASTERISK-15997)
Reported by: jin
Patches:
     bug17227.patch uploaded by may213 (license 454)
Tested by: jin


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk-addons?view=rev&revision=1116
By: Digium Subversion (svnbot) 2010-06-07 15:15:08

Repository: asterisk-addons
Revision: 1117

U   branches/1.6.2/channels/chan_ooh323.c

------------------------------------------------------------------------
r1117 | may | 2010-06-07 15:15:08 -0500 (Mon, 07 Jun 2010) | 15 lines

don't read rtp data from channel without private structure

In some cases asterisk channel can exist but on protocol stack side
channel can
be closed and we must return null frame in reading data functions
instead of reading data from destroyed channel

(closes issue ASTERISK-15997)
Reported by: jin
Patches:
     bug17227.patch uploaded by may213 (license 454)
Tested by: jin



------------------------------------------------------------------------

http://svn.digium.com/view/asterisk-addons?view=rev&revision=1117