| Summary: | ASTERISK-17649: crash in ast_frdup with oversized udptl frame | ||||
| Reporter: | Kristijan Vrban (vrban) | Labels: | |||
| Date Opened: | 2011-04-06 06:05:36 | Date Closed: | 2011-09-14 08:37:32 | ||
| Priority: | Critical | Regression? | No | ||
| Status: | Closed/Complete | Components: | Channels/chan_sip/T.38 | ||
| Versions: | 1.4.40 | Frequency of Occurrence | |||
| Related Issues: |
| ||||
| Environment: | Attachments: | ( 0) 20110520-122741-+492713184236-+4922130239762-72a7b2e4-510e46c5-735f6a09-cb98@nfon-1.sip.mgc.voip.telefonica.de.cap ( 1) gdb_output.txt ( 2) gdb2.txt | |||
| Description: | a crash, see gdb_output.txt noticeable is the oversized datalen: $2 = {frametype = AST_FRAME_MODEM, subclass = 1, datalen = 79109792, samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0, src = 0x4e05fe "UDPTL", data = 0x4b71e98, delivery = {tv_sec = 0, tv_usec = 0}, frame_list = {next = 0x54a0368}, flags = 0, ts = 0, len = 0, seqno = 33223} | ||||
| Comments: | By: Kristijan Vrban (vrban) 2011-05-23 08:04:02 meanwhile i had the third core with this issue. See gdb2.txt the last two times, it crashed at the memcpy in udptl_build_packet in udptl.c again with oversized datalen: (gdb) print *frame $3 = {frametype = AST_FRAME_MODEM, subclass = 1, datalen = 876294195, samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0, src = 0x4e091e "UDPTL", data = 0x7f228b46f11b, delivery = {tv_sec = 0, tv_usec = 0}, frame_list = {next = 0x0}, flags = 0, ts = 0, len = 0, seqno = 32776} i suspect changeset 308413 because it deal with the datalen, and i dont remember this type of crash in older 1.4 version before changeset 308413. Perhaps mnicholson should take a look. He made the change. And very probably it's not and 1.4 issues only. Because the udptl.c source is almost 1:1 in every asterisk version. By: Kristijan Vrban (vrban) 2011-05-24 09:49:21 I attached the call as pcap, which crashed asterisk in gdb2.txt. See paket No. 98 and 100. this to RTP packages were send to the udptl port 4101 after the 200 OK to for the t.38 re-INVITE. And this crashed asterisk. You nicely can see the BYE retransmission, because asterisk was death... By: Matthew Nicholson (mnicholson) 2011-07-26 14:28:20.121-0500 Is this a problem in the most recent 1.4 version? Also, if possible test with 1.8. A crash caused by RTP packets sent to the udptl port is exactly what change 308413 was intended to fix. By: Leif Madsen (lmadsen) 2011-09-14 08:37:26.507-0500 Suspended due to lack of activity. Please request a bug marshal in #asterisk-bugs on the IRC network irc.freenode.net to reopen the issue should you have the additional information requested. Further information can be found at http://www.asterisk.org/developers/bug-guidelines | ||||