Summary:ASTERISK-17909: [patch] Crash in chan_sip -- sip_setoption()
Reporter:Mark Murawski (kobaz)Labels:
Date Opened:2011-05-23 17:00:29Date Closed:2011-07-18 08:02:15
Versions:Frequency of
is duplicated byASTERISK-20044 Crash in sip_setoption - chan_sip.c
Environment:Attachments:( 0) chan_sip.patch
Description:If the sip private structure is null, sip_setoption() will defref the null pointer and crash.

I don't know what the exact fix would be, but a stopgap would prevent a crash here.

Possibly all the operations on sip private structures should check their pointer first?


(gdb) bt
#0  0x064d624f in sip_setoption (chan=0xfb1f2a8, option=12, data=0x10cf3cf8, datalen=4) at chan_sip.c:4209
#1  0x080bcca5 in ast_channel_setoption (chan=0xfb1f2a8, option=12, data=0x10cf3cf8, datalen=4, block=0) at channel.c:7750
#2  0x080b3d4c in set_format (chan=0xfb1f2a8, fmt=4, rawformat=0xfb1f5f8, format=0xfb1f5e8, trans=0xfb1f2ec, direction=1) at channel.c:5386
#3  0x080b4245 in ast_set_write_format (chan=0xfb1f2a8, fmt=4) at channel.c:5461
#4  0x05f98d07 in moh_release (chan=0xfb1f2a8, data=0x4f00ef0) at res_musiconhold.c:902
ASTERISK-1  0x080ae0d9 in ast_deactivate_generator (chan=0xfb1f2a8) at channel.c:3324
ASTERISK-2  0x080afb2d in __ast_read (chan=0xfb1f2a8, dropaudio=0) at channel.c:4029
ASTERISK-3  0x080b19e0 in ast_read (chan=0xfb1f2a8) at channel.c:4543
ASTERISK-4  0x05cddca4 in run_agi (chan=0xfb1f2a8, request=0x10cf4990 "agi://", agi=0x10cf49d0, pid=-1, status=0x10cf49c4, dead=0, argc=1, argv=0x10cf49e8) at res_agi.c:3502
ASTERISK-5  0x05cdf347 in agi_exec_full (chan=0xfb1f2a8, data=0x10cf6d9c "agi://", enhanced=0, dead=0) at res_agi.c:3858
ASTERISK-6 0x05cdf48b in agi_exec (chan=0xfb1f2a8, data=0x10cf6d9c "agi://") at res_agi.c:3892
ASTERISK-7 0x081308b9 in pbx_exec (c=0xfb1f2a8, app=0x63a3e58, data=0x10cf6d9c "agi://") at pbx.c:1406
ASTERISK-8 0x081391c8 in pbx_extension_helper (c=0xfb1f2a8, con=0x0, context=0xfb1f614 "dialExten", exten=0xfb1f664 "s", priority=6, label=0x0, callerid=0xfaa5398 "6230", action=E_SPAWN, found=0x10cf9228, combined_find_spawn=1) at pbx.c:4102
ASTERISK-9 0x0813aa1b in ast_spawn_extension (c=0xfb1f2a8, context=0xfb1f614 "dialExten", exten=0xfb1f664 "s", priority=6, callerid=0xfaa5398 "6230", found=0x10cf9228, combined_find_spawn=1) at pbx.c:4625
ASTERISK-10 0x0813b313 in __ast_pbx_run (c=0xfb1f2a8, args=0x0) at pbx.c:4723
ASTERISK-11 0x0813ccdc in pbx_thread (data=0xfb1f2a8) at pbx.c:5065
ASTERISK-12 0x0818b24c in dummy_start (data=0xfa13270) at utils.c:973
ASTERISK-13 0x04462c39 in start_thread (arg=0x10cf9b70) at pthread_create.c:304
ASTERISK-14 0x042a28ee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
(gdb) list
4204            switch (option) {
4205            case AST_OPTION_FORMAT_READ:
4206                    res = ast_rtp_instance_set_read_format(p->rtp, *(int *) data);
4207                    break;
4208            case AST_OPTION_FORMAT_WRITE:
4209                    res = ast_rtp_instance_set_write_format(p->rtp, *(int *) data);
4210                    break;
4211            case AST_OPTION_MAKE_COMPATIBLE:
4212                    res = ast_rtp_instance_make_compatible(chan, p->rtp, (struct ast_channel *) data);
4213                    break;
(gdb) p p->rtp
Cannot access memory at address 0xd14
(gdb) p p
$2 = (struct sip_pvt *) 0x0
Comments:By: Michael L. Young (elguero) 2011-05-23 20:01:11

I think this may be a duplicate of ASTERISK-17336.  Can you confirm if it is?  If so, then a bug marshal can add a relation to that issue.

By: Mark Murawski (kobaz) 2011-05-23 20:32:13

I can't tell for certain, but it looks very similar.  It's difficult to tell 100% because in the other issue there's no output of what the pointer is for the sip private structure.  If I were to take a wild guess, I would say it's probably the same crash.  I'll mark it as related.

Try this patch to see if it fixes the issue noted in ASTERISK-1848732.

By: Mark Murawski (kobaz) 2011-07-18 07:36:23.932-0500

r328608 | markm | 2011-07-18 08:35:57 -0400 (Mon, 18 Jul 2011) | 9 lines

If the sip private structure is null, sip_setoption() will defref the null pointer and crash.

Ideally, sip_setoption shouldn't be called if there is a lack of a sip private structure.  But this will fix a crash.

(closes issue ASTERISK-17909)
Reported by: Mark Murawski
Tested by: Mark Murawski

By: Mark Murawski (kobaz) 2011-07-18 07:59:13.390-0500

Merged to 1.10 (r328611)
Merged to trunk (r328612)