Summary:ASTERISK-18648: DAHDI channel causes Asterisk to segfault crash due to unhandled ast_read() NULL return
Reporter:Stephan Bosch (stephan)Labels:
Date Opened:2011-09-30 02:20:19Date Closed:2011-10-03 14:17:00
Versions:SVN Frequency of
Environment:Ubuntu 10.04.3 LTS Linux 2.6.32-33-generic-pae i686 GNU/LinuxAttachments:( 0) jira_asterisk_18648_v1.8.patch
Description:I've discovered that Asterisk consistently crashes when our analog home pbx is made to ring all lines (including the one Asterisk's dahdi card is connected to) with a distinctive alarm ring (five very fast consecutive rings with a short silence). I've produced a core dump and found the issue to be very simple. I've found this issue in, but judging by the source code, the svn trunc still has the same problem.

For the ubuntu version, the gdb trace is as follows:

Program terminated with signal 11, Segmentation fault.
#0  0x19051504 in ss_thread (data=0x20e2dfb0) at chan_dahdi.c:8616
8616    chan_dahdi.c: No such file or directory.
       in chan_dahdi.c
(gdb) bt
#0  0x19051504 in ss_thread (data=0x20e2dfb0) at chan_dahdi.c:8616
#1  0x006eeb94 in dummy_start (data=0x20bb1880) at utils.c:967
#2  0x0014a96e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#3  0x00e27a4e in clone () from /lib/tls/i686/cmov/libc.so.6

Starting at line 8615 in the sources I found the following code fragment:

f = ast_read(chan);
if (f->frametype == AST_FRAME_DTMF) {
   dtmfbuf[k++] = f->subclass;
   ast_log(LOG_DEBUG, "CID got digit '%c'\n", f->subclass);
   res = 2000;

This is pretty much my first glance at Asterisk code, and I must say it is not very easy to plow through.  However, from the comment in the channels.h header I deduced that ast_read() may return NULL upon error. Clearly, at various occasions where this function is used, the result is nicely checked for its NULL status first. In this particular occasion, however, it is not. The evaluation of f->frametype will therefore segfault in this case.

In SVN trunk (http://svnview.digium.com/svn/asterisk/trunk/channels/chan_dahdi.c?revision=338226&view=markup) this code fragment can be found at line 10700. I was planning to write a patch, but I have little clue what to do when !f.
Comments:By: Richard Mudgett (rmudgett) 2011-09-30 12:58:19.444-0500

[^jira_asterisk_18648_v1.8.patch] Should fix the crash.  It should be fairly straight forward to backport it to v1.6.2.

You seem to have found the only place where ast_read() is not checked for NULL. :)

By: Stephan Bosch (stephan) 2011-09-30 15:48:15.606-0500

Ok, I've backported it to my local version and it compiles and works fine. While testing with multiple ring sequences, it did not crash anymore. Looks like this one is fixed.

By: Richard Mudgett (rmudgett) 2011-10-03 14:17:00.780-0500

Patch was committed.