Summary:ASTERISK-18697: [minivm] Crash in MinivmNotify
Reporter:Chris Boot (bootc)Labels:
Date Opened:2011-10-09 16:57:16Date Closed:2013-01-20 23:28:20.000-0600
Versions: Frequency of
duplicatesASTERISK-20854 app_minivm core dump in ast_str_encode_mime
Environment:Linux x86-64Attachments:( 0) minivm-null-pointer-dereference-fix.patch
Description:MinivmNotify() would reliably crash for me every time I called it. The backtrace is as follows:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f03dd355700 (LWP 3167)]
0x000000000052ba43 in __ast_str_helper (buf=0x7f03dd34f3d0, max_len=0, append=1, fmt=0x7f03e1a16c08 "%s%s?=%s", ap=0x7f03dd349b80) at strings.c:60
60              int offset = (append && (*buf)->__AST_STR_LEN) ? (*buf)->__AST_STR_USED : 0;
(gdb) bt
#0  0x000000000052ba43 in __ast_str_helper (buf=0x7f03dd34f3d0, max_len=0, append=1, fmt=0x7f03e1a16c08 "%s%s?=%s", ap=0x7f03dd349b80) at strings.c:60
#1  0x000000000053beb9 in ast_str_append_va (buf=0x7f03dd34f3d0, max_len=0, fmt=<value optimized out>) at /home/bootc/asterisk-1.8/include/asterisk/strings.h:787
#2  ast_str_append (buf=0x7f03dd34f3d0, max_len=0, fmt=<value optimized out>) at /home/bootc/asterisk-1.8/include/asterisk/strings.h:859
#3  0x00007f03e1a0bdc3 in ast_str_encode_mime (end=<value optimized out>, maxlen=<value optimized out>, charset=<value optimized out>, start=<value optimized out>, preamble=9, postamble=<value optimized out>) at app_minivm.c:1188
#4  0x00007f03e1a12278 in sendmail (template=<value optimized out>, vmu=0x2934030, cidnum=<value optimized out>, cidname=<value optimized out>, filename=<value optimized out>, format=<value optimized out>, duration=<value optimized out>, attach_user_voicemail=1,
   type=MVM_MESSAGE_EMAIL, counter=0x0) at app_minivm.c:1416
#5  0x00007f03e1a16142 in notify_new_message (chan=0x7f03d802bb38, templatename=<value optimized out>, vmu=0x2934030, filename=<value optimized out>, duration=<value optimized out>, format=<value optimized out>, cidnum=0x7f03d807f600 "07588833202",
   cidname=0x7f03d802c420 "07588833202") at app_minivm.c:1810
#6  0x00007f03e1a16a37 in minivm_notify_exec (chan=0x7f03d802bb38, data=<value optimized out>) at app_minivm.c:2139
#7  0x00000000004eef0b in pbx_exec (c=0x7f03d802bb38, app=0x2916e40, data=0x7f03dd352780 "bootc@bootc.net") at pbx.c:1421
#8  0x00000000004fbd0a in pbx_extension_helper (c=0x7f03d802bb38, con=<value optimized out>, context=0x7f03d802c090 "minivm_cleanup", exten=0x7f03d802c0e0 "~~s~~", priority=<value optimized out>, label=<value optimized out>, callerid=0x7f03d807f600 "07588833202",
   action=E_SPAWN, found=0x7f03dd354dfc, combined_find_spawn=1) at pbx.c:4119
#9  0x0000000000501d3e in ast_spawn_extension (c=0x7f03d802bb38, args=<value optimized out>) at pbx.c:4744
#10 __ast_pbx_run (c=0x7f03d802bb38, args=<value optimized out>) at pbx.c:5068
#11 0x0000000000502009 in pbx_thread (data=0x7f03dd34f3d0) at pbx.c:5177
#12 0x000000000053ad1a in dummy_start (data=<value optimized out>) at utils.c:1004
#13 0x00007f03e67d78ba in start_thread () from /lib/libpthread.so.0
#14 0x00007f03e701002d in clone () from /lib/libc.so.6
#15 0x0000000000000000 in ?? ()

It turns out {{ast_str_encode_mime(struct ast_str **end, ...)}} has the following line towards the start:

{{*end = '\0';}}

This has the effect of setting the ast_str * pointed to by 'end' to NULL - the next line:


Is then a NULL pointer dereference. For some reason that didn't cause a crash for me straight away, but gdb showed very quickly what was the culprit. The following patch fixes the crash for me, with no visible side-effects.

Index: apps/app_minivm.c
--- apps/app_minivm.c   (revision 338374)
+++ apps/app_minivm.c   (working copy)
@@ -1159,7 +1159,6 @@
       struct ast_str *tmp = ast_str_alloca(80);
       int first_section = 1;
-       *end = '\0';

       ast_str_set(&tmp, -1, "=?%s?Q?", charset);
Comments:By: Chris Boot (bootc) 2011-10-10 09:14:12.560-0500

Non-mangled patch.