[Home]

Summary:ASTERISK-17649: crash in ast_frdup with oversized udptl frame
Reporter:Kristijan Vrban (vrban)Labels:
Date Opened:2011-04-06 06:05:36Date Closed:2011-09-14 08:37:32
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Channels/chan_sip/T.38
Versions:1.4.40 Frequency of
Occurrence
Related
Issues:
is caused byASTERISK-25603 [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash
Environment:Attachments:( 0) 20110520-122741-+492713184236-+4922130239762-72a7b2e4-510e46c5-735f6a09-cb98@nfon-1.sip.mgc.voip.telefonica.de.cap
( 1) gdb_output.txt
( 2) gdb2.txt
Description:a crash, see gdb_output.txt

noticeable is the oversized datalen:

$2 = {frametype = AST_FRAME_MODEM, subclass = 1, datalen = 79109792, samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0,
 src = 0x4e05fe "UDPTL", data = 0x4b71e98, delivery = {tv_sec = 0, tv_usec = 0}, frame_list = {next = 0x54a0368}, flags = 0, ts = 0, len = 0,
 seqno = 33223}
Comments:By: Kristijan Vrban (vrban) 2011-05-23 08:04:02

meanwhile i had the third core with this issue. See gdb2.txt
the last two times, it crashed at the memcpy in udptl_build_packet in udptl.c
again with oversized datalen:

(gdb) print *frame
$3 = {frametype = AST_FRAME_MODEM, subclass = 1, datalen = 876294195, samples = 0, mallocd = 0, mallocd_hdr_len = 0, offset = 0,
 src = 0x4e091e "UDPTL", data = 0x7f228b46f11b, delivery = {tv_sec = 0, tv_usec = 0}, frame_list = {next = 0x0}, flags = 0, ts = 0, len = 0,
 seqno = 32776}

i suspect changeset 308413 because it deal with the datalen, and i dont remember this type of crash in older 1.4 version before changeset 308413.

Perhaps mnicholson should take a look. He made the change. And very probably it's not and 1.4 issues only. Because the udptl.c source is almost 1:1 in every asterisk version.



By: Kristijan Vrban (vrban) 2011-05-24 09:49:21

I attached the call as pcap, which crashed asterisk in gdb2.txt. See paket No. 98 and 100. this to RTP packages were send to the udptl port 4101 after the 200 OK to for the t.38 re-INVITE. And this crashed asterisk.

You nicely can see the BYE retransmission, because asterisk was death...



By: Matthew Nicholson (mnicholson) 2011-07-26 14:28:20.121-0500

Is this a problem in the most recent 1.4 version? Also, if possible test with 1.8.  A crash caused by RTP packets sent to the udptl port is exactly what change 308413 was intended to fix.

By: Leif Madsen (lmadsen) 2011-09-14 08:37:26.507-0500

Suspended due to lack of activity. Please request a bug marshal in #asterisk-bugs on the IRC network irc.freenode.net to reopen the issue should you have the additional information requested.  Further information can be found at http://www.asterisk.org/developers/bug-guidelines