Summary:ASTERISK-21205: [patch] dundi_read_result crash due to negative number
Reporter:Jaco Kroon (jkroon)Labels:patch
Date Opened:2013-03-05 07:06:51.000-0600Date Closed:2020-03-25 17:22:53
Versions:11.2.1 13.18.4 Frequency of
Environment:gentoo linux kernel 3.7.3Attachments:( 0) asterisk-11.2.1-dundi-segfault-on-fail.patch
Description:Should dundi_lookup_internal return a negative number then so will dundi_lookup, which usually gets assigned to num_results, which is an unsigned int.  Later when sorting this number is taken "as is", which then results in an out-of-bounds situation and a segfault (usually).
Comments:By: Jaco Kroon (jkroon) 2013-03-05 07:23:36.178-0600

This is my proposed fix.  Whilst num_results was previously unsigned I've now converted it to signed in order to correctly catch the error condition.  I've audited all uses of num_results and made some other ammendments.  The original cause of the crash was a simple comparison against >0, since dundi_lookup_internal returns -1 or -2 on error, storing that as an unsigned value results in a large positive number, obviously >0, resulting in a sort of a NULL array, resulting in a crash.

Not sure how to actually *trigger* the segfault, but since the one DC one of our servers is hosted in had a router problem I'm guessing a "no response" from the peer might trigger this.

By: Rusty Newton (rnewton) 2013-03-07 18:10:41.016-0600

Thanks Jaco! pbx_dundi is extended support. If you need it in soon, you'll want to round up some interest on the asterisk-dev list or IRC. There are a few other DUNDi patches that need looking at as well. You can find them by filtering with the PBX/pbx_dundi component.  Bonus points for you if you find someone willing to review and test them all then push them through to commit!

By: Jaco Kroon (jkroon) 2013-03-08 00:51:38.656-0600


Thanks, I have already managed to get the distro maintainer to add the patch for me so for me the issue is sorted.

I use DUNDi reasonably extensively, and will see what I can do about reviewing the patches.  Assuming that I review them (which is somewhat unlikely to happen soon seeing that I've got three more asterisk related issues that I experience daily that I'm busy tracking down), where can I find procedures etc for getting them pushed through?  Perhaps it's time I subscribe to the asterisk-dev list ...

Kind Regards,

By: Friendly Automation (friendly-automation) 2020-03-25 17:22:55.331-0500

Change 13992 merged by Kevin Harwell:
dundi:  fix NULL dereference.


By: Friendly Automation (friendly-automation) 2020-03-25 17:23:06.244-0500

Change 13993 merged by Kevin Harwell:
dundi:  fix NULL dereference.


By: Friendly Automation (friendly-automation) 2020-03-25 17:23:22.650-0500

Change 13994 merged by Kevin Harwell:
dundi:  fix NULL dereference.


By: Friendly Automation (friendly-automation) 2020-03-25 17:23:37.571-0500

Change 13948 merged by Kevin Harwell:
dundi:  fix NULL dereference.