Summary: | ASTERISK-18697: [minivm] Crash in MinivmNotify | ||||
Reporter: | Chris Boot (bootc) | Labels: | |||
Date Opened: | 2011-10-09 16:57:16 | Date Closed: | 2013-01-20 23:28:20.000-0600 | ||
Priority: | Major | Regression? | |||
Status: | Closed/Complete | Components: | Applications/app_minivm | ||
Versions: | 1.8.7.0 | Frequency of Occurrence | Constant | ||
Related Issues: |
| ||||
Environment: | Linux x86-64 | Attachments: | ( 0) minivm-null-pointer-dereference-fix.patch | ||
Description: | MinivmNotify() would reliably crash for me every time I called it. The backtrace is as follows: {noformat} Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f03dd355700 (LWP 3167)] 0x000000000052ba43 in __ast_str_helper (buf=0x7f03dd34f3d0, max_len=0, append=1, fmt=0x7f03e1a16c08 "%s%s?=%s", ap=0x7f03dd349b80) at strings.c:60 60 int offset = (append && (*buf)->__AST_STR_LEN) ? (*buf)->__AST_STR_USED : 0; (gdb) bt #0 0x000000000052ba43 in __ast_str_helper (buf=0x7f03dd34f3d0, max_len=0, append=1, fmt=0x7f03e1a16c08 "%s%s?=%s", ap=0x7f03dd349b80) at strings.c:60 #1 0x000000000053beb9 in ast_str_append_va (buf=0x7f03dd34f3d0, max_len=0, fmt=<value optimized out>) at /home/bootc/asterisk-1.8/include/asterisk/strings.h:787 #2 ast_str_append (buf=0x7f03dd34f3d0, max_len=0, fmt=<value optimized out>) at /home/bootc/asterisk-1.8/include/asterisk/strings.h:859 #3 0x00007f03e1a0bdc3 in ast_str_encode_mime (end=<value optimized out>, maxlen=<value optimized out>, charset=<value optimized out>, start=<value optimized out>, preamble=9, postamble=<value optimized out>) at app_minivm.c:1188 #4 0x00007f03e1a12278 in sendmail (template=<value optimized out>, vmu=0x2934030, cidnum=<value optimized out>, cidname=<value optimized out>, filename=<value optimized out>, format=<value optimized out>, duration=<value optimized out>, attach_user_voicemail=1, type=MVM_MESSAGE_EMAIL, counter=0x0) at app_minivm.c:1416 #5 0x00007f03e1a16142 in notify_new_message (chan=0x7f03d802bb38, templatename=<value optimized out>, vmu=0x2934030, filename=<value optimized out>, duration=<value optimized out>, format=<value optimized out>, cidnum=0x7f03d807f600 "07588833202", cidname=0x7f03d802c420 "07588833202") at app_minivm.c:1810 #6 0x00007f03e1a16a37 in minivm_notify_exec (chan=0x7f03d802bb38, data=<value optimized out>) at app_minivm.c:2139 #7 0x00000000004eef0b in pbx_exec (c=0x7f03d802bb38, app=0x2916e40, data=0x7f03dd352780 "bootc@bootc.net") at pbx.c:1421 #8 0x00000000004fbd0a in pbx_extension_helper (c=0x7f03d802bb38, con=<value optimized out>, context=0x7f03d802c090 "minivm_cleanup", exten=0x7f03d802c0e0 "~~s~~", priority=<value optimized out>, label=<value optimized out>, callerid=0x7f03d807f600 "07588833202", action=E_SPAWN, found=0x7f03dd354dfc, combined_find_spawn=1) at pbx.c:4119 #9 0x0000000000501d3e in ast_spawn_extension (c=0x7f03d802bb38, args=<value optimized out>) at pbx.c:4744 #10 __ast_pbx_run (c=0x7f03d802bb38, args=<value optimized out>) at pbx.c:5068 #11 0x0000000000502009 in pbx_thread (data=0x7f03dd34f3d0) at pbx.c:5177 #12 0x000000000053ad1a in dummy_start (data=<value optimized out>) at utils.c:1004 #13 0x00007f03e67d78ba in start_thread () from /lib/libpthread.so.0 #14 0x00007f03e701002d in clone () from /lib/libc.so.6 #15 0x0000000000000000 in ?? () {noformat} It turns out {{ast_str_encode_mime(struct ast_str **end, ...)}} has the following line towards the start: {{*end = '\0';}} This has the effect of setting the ast_str * pointed to by 'end' to NULL - the next line: {{ast_str_reset(*end);}} Is then a NULL pointer dereference. For some reason that didn't cause a crash for me straight away, but gdb showed very quickly what was the culprit. The following patch fixes the crash for me, with no visible side-effects. {noformat} Index: apps/app_minivm.c =================================================================== --- apps/app_minivm.c (revision 338374) +++ apps/app_minivm.c (working copy) @@ -1159,7 +1159,6 @@ { struct ast_str *tmp = ast_str_alloca(80); int first_section = 1; - *end = '\0'; ast_str_reset(*end); ast_str_set(&tmp, -1, "=?%s?Q?", charset); {noformat} | ||||
Comments: | By: Chris Boot (bootc) 2011-10-10 09:14:12.560-0500 Non-mangled patch. |