Summary:ASTERISK-21041: Asterisk crashes during a frame copy while receiving a fax
Reporter:Benjamin (bulkorok)Labels:
Date Opened:2013-02-06 06:59:48.000-0600Date Closed:2016-02-03 15:57:57.000-0600
Status:Closed/CompleteComponents:Resources/res_fax Resources/res_fax_spandsp
Versions: Frequency of
is caused byASTERISK-25603 [patch]udptl: Uninitialized lengths and bufs in udptl_rx_packet cause ast_frdup crash
Environment:Linux version 2.6.32-5-amd64 (Debian 2.6.32-46)Attachments:( 0) cli.txt
( 1) configs.txt
( 2) data_ptr.txt
( 3) flow.png
( 4) gdb.txt
Description:Asterisk segfaulting nearly daily unreproducable when receiving faxes.
Comments:By: Benjamin (bulkorok) 2013-02-06 07:00:57.908-0600

backtrace output of core-dump

Some numbers cleaned out

By: Kinsey Moore (kmoore) 2013-02-06 07:55:23.849-0600

Please attach more information about the fax session, fax configs, relevant sip config snippets to the issue if you have them.  If you have the core for this crash, could you print the value of f->data.ptr ("print f->data.ptr")?

By: Benjamin (bulkorok) 2013-02-06 08:06:12.114-0600

(gdb) fr 1
#1  0x00000000004d2e72 in ast_frdup (f=0x1a87eb0) at frame.c:537
537                     memcpy(out->data.ptr, f->data.ptr, out->datalen);
(gdb) print f->data.ptr
$1 = (void *) 0xb

By: Kinsey Moore (kmoore) 2013-02-06 08:39:57.943-0600

I suspect this to be a problem in utptl.c, much like ASTERISK-19762.

By: Rusty Newton (rnewton) 2013-02-14 10:12:46.523-0600

Just talked with Benjamin on IRC - more debug (pcap and full log) coming tomorrow.

By: Benjamin (bulkorok) 2013-02-19 08:23:42.353-0600

some data.ptr extractions.

still waiting for next segfault.

By: Rusty Newton (rnewton) 2013-02-26 16:27:54.599-0600

Setting this in 'waiting for feedback' until we get some pcaps or logs showing what happens right before the crash. Be sure to hit "Send Back" when you update.

By: Benjamin (bulkorok) 2013-03-14 07:01:22.006-0500


finally I have a coredump with a pcap and a cli-capture.
I added a screenshot (without numbers) from the flow of the fax-session that is shown in gdb bt. flow.png
Additionally  I can say that 2 seconds before another call to the same number came in. cli.txt shows the cli-output from the incomming calls.

(gdb) print f->data.ptr
$1 = (void *) 0xb

By: Walter Doekes (wdoekes) 2013-05-25 07:23:51.501-0500

Benjamin: are you able to capture a pcap surrounding the crash? See tcpdump and file rotation.

By: Richard Mudgett (rmudgett) 2016-02-03 15:57:57.935-0600

Fixed by ASTERISK-25603