ASTERISK-16716: Asterisk crashes on local_ast_moh

[Home]

Summary: ASTERISK-16716: Asterisk crashes on local_ast_moh_start (Segmentation Fault)

Reporter: Valensuela (valen22br) Labels:

Date Opened: 2010-09-23 07:27:22 Date Closed: 2011-07-27 13:09:46

Priority: Critical Regression? No

Status: Closed/Complete Components: Channels/General

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) asterisk_A
( 1) asterisk_B
( 2) backtrace-issue18035.txt

Description: Scenario: Asterisk(A) connect to Asterisk(B) through IAX2 trunk.
Using res_timing_dahdi as timing source.

Call comes from PSTN to Asterisk(A), with DID to a SIP extension that have an follow me configured to a external route (using IAX2 trunk) that point to another SIP extension on Asterisk(B).

In this scenario I have two segmentations faults on Asterisk(A), 1000 calls per day.
Today I changed the IAX2 trunk between Asterisk(A) and Asterisk(B) to a SIP trunk and until now, I do not have an segmentation fault.

I am suspecting that the problem is with IAX2 trunk.

****** ADDITIONAL INFORMATION ******

backtrace removed.

Comments: By: Leif Madsen (lmadsen) 2010-09-23 10:41:03

Your backtrace is optimized out. Please provide a backtrace after enabling and recompiling Asterisk with the DONT_OPTIMIZE enabled in the Compiler Flags section of menuselect.

Also see the doc/backtrace.txt file located in your Asterisk source.

Thanks!
Leif.
By: Valensuela (valen22br) 2010-09-24 07:59:03

Ok, here is the new backtrace with option DONT_OPTIMIZE enabled.

Thanks

backtrace removed

By: Stefan Schmidt (schmidts) 2010-09-24 11:30:16

please add backtrace and other logs only as uploaded files.
i have removed the latest backtrace and add it as file, just for the future ;)
By: Valensuela (valen22br) 2010-09-24 14:20:49

It's look like the problem ocurred in ast_strlen_zero(mclass parameter), it was called in local_ast_moh_start, and it appears to be broken.

We think when mclass is wrong but has a '\0' (terminator string) we got the following logs:
54326:[Sep 24 13:58:49] VERBOSE[5985] loader.c: res_musiconhold.so => (Music On Hold Resource)
55151:[Sep 24 13:59:46] DEBUG[6346] res_musiconhold.c: Music on Hold class 'h;t???B???5?9?)P??' not found in memory

On the other hand, when mclass has not a '\0' (terminator string) we got an Asterisk crash.
By: Stefan Schmidt (schmidts) 2010-09-24 15:50:11

ast_strlen_zero checks if mclass would be a null pointer or an empty string = '\0'
but as i see in the backtrace and also in your debug it looks more like an unitialised string.

like its in your backtrace oumclass=0x8c1e6350 <Address 0x8c1e6350 out of bounds>
By: Valensuela (valen22br) 2010-09-27 07:11:19

so how can we fix this issue?
By: Stefan Schmidt (schmidts) 2010-09-27 13:02:21

could you please post a dialplan example and configs how this could be reproduced.
without this its hard to find.

thanks
By: Valensuela (valen22br) 2010-09-28 07:08:12

Here we use a dialplan based on FreePBX, and it's so big. Looking to the source code and the problem, we know the problem is the unitialised string. The problem apparently occur only with IAX2 trunks, because we changed this trunk to a SIP trunk and the problem did not occur again. Where I can look for initialization of mclass parameter?
By: Valensuela (valen22br) 2010-10-04 14:59:11

Hello all,

after many days doing tests, we got the following:

Asterisk(A) dial to Asterisk(B) using a IAX2 trunk, the Asterisk(B) get the extension and dial to a SIP extension(logged on Asterisk(B)).

If the Asterisk(B) has the mohinterpret parameter set as passthrough, in iax.conf. After the SIP extension logged on Asterisk(B) tries to transfer the call, we got a crash or a message like this: "[Oct 4 15:44:53] DEBUG[24045] res_musiconhold.c: Music on Hold class ']]][YY]^[Y]a`][ZXXZ]][]fg\VWZ[XXYYWY`g_YY\[WUY]]\^ef][be[UWXWVX\_^]ad^YXYXYYZZZ[[[[[[[[[\\\\\[ZZYXXXXYZ[\\[[ZYXXXYZ[]^`bbba`_^^]\\\\]]]]]]\\\\\\\]]]]]\\[[[[[\\]°^C' not found in memory".

We did tests using 3 versions (All of those using Asterisk(A) 1.6.2.13 version:

Asterisk(B) 1.2.24: We don't need to enable mohinterpret=passthrough parameter in iax.conf at Asterisk(B), and all the calls transfered crashs Asterisk(A);

Asterisk(B) 1.4.30: We must enable mohinterpret=passthrough parameter in iax.conf at Asterisk(B), to crash Asterisk(A);

Asterisk(B) 1.6.2.13: We must enable mohinterpret=passthrough parameter in iax.conf at Asterisk(B), to crash Asterisk(A);

__________________________________________________________________________

My simple dialplan at Asterisk(A):
exten => 89001,1,Dial(IAX2/itrunk2/9001)
exten => 89001,n,Hangup

My simple dialplan at Asterisk(B):
exten => 9001,n,Dial(SIP/9001,,Tt)
exten => 9001,n,Hangup

The logs from asterisk(A) and asterisk(B) are attached.

Tnanks
By: Leif Madsen (lmadsen) 2010-10-12 09:54:11

Thanks for getting this tested and sorted out. This will make it much easier to triage and get a developer to help.
By: Valensuela (valen22br) 2010-10-21 05:22:37

Hello,
do you have any solutions so far?

Thanks
By: Wolfgang Pichler (wuwu) 2011-03-28 23:53:36

i do have the same bug here - also using iax2 - and local channels. Exact the same backtrace. And i did have the same bug some time ago... - i think it is related to 0016058.

My fix was to apply the frame_datalen workaround (the real fix did not work for me - but the workaround is quit ok)
By: Russell Bryant (russell) 2011-07-27 13:09:41.955-0500

Per the Asterisk maintenance timeline page at http://www.asterisk.org/asterisk-versions maintenance (bug) support for the 1.4 and 1.6.x branches has ended. For continued maintenance support please move to the 1.8 branch which is a long term support (LTS) branch. For more information about branch support, please see https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions

If this is still an issue, please open a new issue so it can be re-triaged appropriately. Thanks!