Summary: | ASTERISK-17909: [patch] Crash in chan_sip -- sip_setoption() | ||||
Reporter: | Mark Murawski (kobaz) | Labels: | |||
Date Opened: | 2011-05-23 17:00:29 | Date Closed: | 2011-07-18 08:02:15 | ||
Priority: | Critical | Regression? | No | ||
Status: | Closed/Complete | Components: | Channels/chan_sip/General | ||
Versions: | Frequency of Occurrence | ||||
Related Issues: |
| ||||
Environment: | Attachments: | ( 0) chan_sip.patch | |||
Description: | If the sip private structure is null, sip_setoption() will defref the null pointer and crash. I don't know what the exact fix would be, but a stopgap would prevent a crash here. Possibly all the operations on sip private structures should check their pointer first? ****** ADDITIONAL INFORMATION ****** (gdb) bt #0 0x064d624f in sip_setoption (chan=0xfb1f2a8, option=12, data=0x10cf3cf8, datalen=4) at chan_sip.c:4209 #1 0x080bcca5 in ast_channel_setoption (chan=0xfb1f2a8, option=12, data=0x10cf3cf8, datalen=4, block=0) at channel.c:7750 #2 0x080b3d4c in set_format (chan=0xfb1f2a8, fmt=4, rawformat=0xfb1f5f8, format=0xfb1f5e8, trans=0xfb1f2ec, direction=1) at channel.c:5386 #3 0x080b4245 in ast_set_write_format (chan=0xfb1f2a8, fmt=4) at channel.c:5461 #4 0x05f98d07 in moh_release (chan=0xfb1f2a8, data=0x4f00ef0) at res_musiconhold.c:902 ASTERISK-1 0x080ae0d9 in ast_deactivate_generator (chan=0xfb1f2a8) at channel.c:3324 ASTERISK-2 0x080afb2d in __ast_read (chan=0xfb1f2a8, dropaudio=0) at channel.c:4029 ASTERISK-3 0x080b19e0 in ast_read (chan=0xfb1f2a8) at channel.c:4543 ASTERISK-4 0x05cddca4 in run_agi (chan=0xfb1f2a8, request=0x10cf4990 "agi://127.0.0.1:2000", agi=0x10cf49d0, pid=-1, status=0x10cf49c4, dead=0, argc=1, argv=0x10cf49e8) at res_agi.c:3502 ASTERISK-5 0x05cdf347 in agi_exec_full (chan=0xfb1f2a8, data=0x10cf6d9c "agi://127.0.0.1:2000", enhanced=0, dead=0) at res_agi.c:3858 ASTERISK-6 0x05cdf48b in agi_exec (chan=0xfb1f2a8, data=0x10cf6d9c "agi://127.0.0.1:2000") at res_agi.c:3892 ASTERISK-7 0x081308b9 in pbx_exec (c=0xfb1f2a8, app=0x63a3e58, data=0x10cf6d9c "agi://127.0.0.1:2000") at pbx.c:1406 ASTERISK-8 0x081391c8 in pbx_extension_helper (c=0xfb1f2a8, con=0x0, context=0xfb1f614 "dialExten", exten=0xfb1f664 "s", priority=6, label=0x0, callerid=0xfaa5398 "6230", action=E_SPAWN, found=0x10cf9228, combined_find_spawn=1) at pbx.c:4102 ASTERISK-9 0x0813aa1b in ast_spawn_extension (c=0xfb1f2a8, context=0xfb1f614 "dialExten", exten=0xfb1f664 "s", priority=6, callerid=0xfaa5398 "6230", found=0x10cf9228, combined_find_spawn=1) at pbx.c:4625 ASTERISK-10 0x0813b313 in __ast_pbx_run (c=0xfb1f2a8, args=0x0) at pbx.c:4723 ASTERISK-11 0x0813ccdc in pbx_thread (data=0xfb1f2a8) at pbx.c:5065 ASTERISK-12 0x0818b24c in dummy_start (data=0xfa13270) at utils.c:973 ASTERISK-13 0x04462c39 in start_thread (arg=0x10cf9b70) at pthread_create.c:304 ASTERISK-14 0x042a28ee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130 (gdb) list 4204 switch (option) { 4205 case AST_OPTION_FORMAT_READ: 4206 res = ast_rtp_instance_set_read_format(p->rtp, *(int *) data); 4207 break; 4208 case AST_OPTION_FORMAT_WRITE: 4209 res = ast_rtp_instance_set_write_format(p->rtp, *(int *) data); 4210 break; 4211 case AST_OPTION_MAKE_COMPATIBLE: 4212 res = ast_rtp_instance_make_compatible(chan, p->rtp, (struct ast_channel *) data); 4213 break; (gdb) p p->rtp Cannot access memory at address 0xd14 (gdb) p p $2 = (struct sip_pvt *) 0x0 | ||||
Comments: | By: Michael L. Young (elguero) 2011-05-23 20:01:11 I think this may be a duplicate of ASTERISK-17336. Can you confirm if it is? If so, then a bug marshal can add a relation to that issue. By: Mark Murawski (kobaz) 2011-05-23 20:32:13 I can't tell for certain, but it looks very similar. It's difficult to tell 100% because in the other issue there's no output of what the pointer is for the sip private structure. If I were to take a wild guess, I would say it's probably the same crash. I'll mark it as related. Try this patch to see if it fixes the issue noted in ASTERISK-1848732. By: Mark Murawski (kobaz) 2011-07-18 07:36:23.932-0500 r328608 | markm | 2011-07-18 08:35:57 -0400 (Mon, 18 Jul 2011) | 9 lines If the sip private structure is null, sip_setoption() will defref the null pointer and crash. Ideally, sip_setoption shouldn't be called if there is a lack of a sip private structure. But this will fix a crash. (closes issue ASTERISK-17909) Reported by: Mark Murawski Tested by: Mark Murawski By: Mark Murawski (kobaz) 2011-07-18 07:59:13.390-0500 Merged to 1.10 (r328611) Merged to trunk (r328612) |