|Summary:||ASTERISK-19762: Segfault in ast_frdup when invalid data length specified in duplicated frame|
|Date Opened:||2012-04-20 06:34:36||Date Closed:||2012-08-10 02:46:58|
|Environment:||Linux version 2.6.32-5-amd64 (Debian 2.6.32-41squeeze2)||Attachments:||( 0) ASTERISK-19762_fix.diff|
( 1) ASTERISK-19762.diff
( 2) bt.txt
( 3) bt_2.txt
( 4) bt_full.txt
( 5) bt_full_2.txt
Asterisk crashes with segfault. I can not reproduce it. I suppose it comes from faxing with T.38 (bt.txt and bt full.txt)
There were about 8 segfault in the past 4 days...
|Comments:||By: Benjamin (bulkorok) 2012-04-23 10:31:36.202-0500|
I checked the generated TIFF-Files from Faxreceiver. They are OK. So It can not be a corrupted TIFF.
By: Benjamin (bulkorok) 2012-04-23 10:46:40.456-0500
found a similar issue: ASTERISK-17649
By: Benjamin (bulkorok) 2012-05-09 08:57:26.484-0500
I attached bt 2.txt and bt full 2.txt
It's another segfault fresh from today.
By: Benjamin (bulkorok) 2012-06-25 08:00:40.266-0500
I have another segfault today.
The segfaults before occured with res_fax_spandsp
I have licenced 4 Fax For Asterisk channels. Segfault with res_fax_digium.so too!
By: Kinsey Moore (kmoore) 2012-07-16 16:07:32.032-0500
Is this segfault reproducable with the tiff file you mentioned? Could you provide a console debug log to go along with the crash? Unfortunately, the backtrace is of limited usefulness since it does not capture where the frame is generated, but I have a lead to follow in udptl.c.
By: Benjamin (bulkorok) 2012-07-30 02:33:05.486-0500
unfortunately I can not reproduce the error with the file.
I opend a Digium Support Case in our account where I attached many log files when the segfault occures. The Digium Case number is 00285432
I hope that you will find all information you need there.
I will try to catch everything you need...
By: Kinsey Moore (kmoore) 2012-08-06 08:04:59.340-0500
The only pcap I can find from you is 1342181407.3900.pcap along with log files cli-capture_stripped.txt and manager-fax-output_stripped.txt. The pcap looks to be mostly alright even though it opens with an error mentioning a partial packet at the end and I can see no indication of the segfault occurring on either log file. Can you verify that these are the correct log files and that they hold the activity surrounding the segfault? The only possible problem with the code I can see right now is seqno overflow and I am not sure that it would cause the problems you are seeing. In the mean time, could you try out the patch attached to ASTERISK-19373?
By: Benjamin (bulkorok) 2012-08-06 08:12:21.726-0500
I sent a new backtrace and cli-, manager- and sip+rtp+udptl-flow to the open Digium Support-ticket 00285432.
I will try the patch you mentioned. Do you know if there is a message or something when the failure happens?!
By: Kinsey Moore (kmoore) 2012-08-06 09:23:53.548-0500
Attached patch for additional debugging.
By: Kinsey Moore (kmoore) 2012-08-07 09:08:36.823-0500
Added possible fix. ASTERISK-19762_fix.diff
By: Benjamin (bulkorok) 2012-08-08 01:49:12.899-0500
Should I keep the patch from https://issues.asterisk.org/jira/secure/attachment/44225/ASTERISK-19373.diff ?!
Or just insert the changes from https://issues.asterisk.org/jira/secure/attachment/44235/ASTERISK-19762_fix.diff ?
By: Kinsey Moore (kmoore) 2012-08-09 08:37:28.570-0500
Benjamin confirmed this morning via IRC that the new patch fixes the segfaults as well.
By: Benjamin (bulkorok) 2012-08-10 02:46:58.694-0500
ASTERISK-19762_fix.diff solves the segfaulting.
Big Thanks to Kinsey!