[Home]

Summary:ASTERISK-15457: asterisk crashes while fax sending
Reporter:krn (krn)Labels:
Date Opened:2010-01-18 10:30:46.000-0600Date Closed:2010-02-02 16:32:58.000-0600
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Channels/chan_sip/T.38
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) gdb.txt
Description:[general]
t38pt_udptl=yes
#next three lines makes no changes
t38pt_rtp=yes
t38pt_usertpsource=yes
faxdetect = yes

[provider]
type=peer
host=sip.provider.com
fromdomain=sip.provider.com
context=incoming-from-prov
port=5065
defaultuser=user
secret=password
fromuser=user
call-limit=10
canreinvite=yes
insecure=invite,port
nat=no
disallow=all
allow=ulaw
allow=alaw
dtmfmode=rfc2833

[IntUser]
type=friend
host=dynamic
context=office-internal
defaultuser=intuser
secret=password
callgroup=3
pickupgroup=3
callerid=103 User
canreinvite=yes
qualify=30000
call-limit=2
t38pt_udptl=yes
disallow=all
allow=ulaw
allow=alaw
t38pt_udptl=yes
faxdetect=yes
dtmfmode=rfc2833
nat=no

IntUser - ATA Linksys SPA2102 with fax attached
T.38 with reinvite, vad disabled, external non-firewalled ip

Messages before crash:
WARNING[11356]: udptl.c:766 calculate_far_max_ifp: (no tag): Cannot calculate far_max_ifp before far_max_datagram has been set.
WARNING[11389]: udptl.c:725 calculate_local_max_datagram: (no tag): Cannot calculate local_max_datagram before local_max_ifp has been set.
WARNING[11389]: udptl.c:766 calculate_far_max_ifp: (SIP/xxxxxxxxxxxxxx): Cannot calculate far_max_ifp before far_max_datagram has been set.

Comments:By: Trevor Peirce #2 (digitalc) 2010-01-26 02:03:14.000-0600

Also in 1.6.1.13.

Linksys ATA on one side calling a T.38 compatible gateway on the other side..  Upon T.38 negotiation, asterisk crashes.

Program terminated with signal 11, Segmentation fault.
...
#0  0x0814947a in ast_udptl_write (s=0xffffffff, f=0xffffffff) at udptl.c:1067
1067            if (len > 0 && s->them.sin_port && s->them.sin_addr.s_addr) {
(gdb)


(gdb) bt full
#0  0x0814947a in ast_udptl_write (s=0xffffffff, f=0xffffffff) at udptl.c:1067
       seq = 0
       len = 165
       res = 0
       buf = 0xc0ff <Address 0xc0ff out of bounds>
       __PRETTY_FUNCTION__ = "ast_udptl_write"

By: krn (krn) 2010-01-26 03:17:52.000-0600

digitalc,

later I've found the same error in cache of google
it's hidden now
https://issues.asterisk.org/view.php?id=16485
I will try to use trunk

807,815d808                                                                                                                                  
<                                                                                                                                            
<                       if ((new_max < 80) && (udptl->error_correction_entries > 1)) {                                                      
<                               /* the max ifp is not large enough, subtract an                                                              
<                                * error correction entry and calculate again                                                                
<                                * */                                                                                                        
<                               --udptl->error_correction_entries;                                                                          
<                       } else {                                                                                                            
<                               break;                                                                                                      
<                       }

By: Raivis Rengelis (raivisr) 2010-01-26 16:07:09.000-0600

same crash in 1.6.2.243297 (latest 1.6.2 svn revision)

#0  0x0815517e in ast_udptl_write (s=0x0, f=0x0) at udptl.c:1074
1074 if (len > 0 && s->them.sin_port && s->them.sin_addr.s_addr) {
(gdb) bt full
#0  0x0815517e in ast_udptl_write (s=0x0, f=0x0) at udptl.c:1074
seq = 0
len = 186
res = 0
buf = 0x0
__PRETTY_FUNCTION__ = "ast_udptl_write"

By: Raivis Rengelis (raivisr) 2010-01-26 16:43:12.000-0600

just tested on svn trunk rev 243383 and got the same crash.
* is compiled with DONT_OPTIMIZE option otherwise ReceiveFAX crashes as well.

By: Trevor Peirce #2 (digitalc) 2010-01-26 23:18:41.000-0600

Another crash while attempting to send a fax via the same asterisk 1.6.1.13:

   -- Called sipgateway/12345678901
   -- SIP/sipgateway-00000005 is making progress passing it to SIP/customerfax2-00000004
   -- SIP/sipgateway-00000005 answered SIP/customerfax2-00000004
   -- Packet2Packet bridging SIP/customerfax2-00000004 and SIP/sipgateway-00000005
[Jan 26 21:08:47] WARNING[9846]: udptl.c:766 calculate_far_max_ifp: (no tag): Cannot calculate far_max_ifp before far_max_datagram has been set.
[Jan 26 21:08:47] WARNING[12569]: udptl.c:725 calculate_local_max_datagram: (SIP/blah-fax2): Cannot calculate local_max_datagram before local_max_ifp has been set.
[Jan 26 21:09:07] NOTICE[12569]: udptl.c:1069 ast_udptl_write: (SIP/12345678901): UDPTL Transmission error to 1.2.3.4:33824: Bad address
my*CLI>
Disconnected from Asterisk server


(gdb) bt full
#0  0xb751dde4 in ao2_unlock@plt () from /usr/lib/asterisk/modules/chan_sip.so
No symbol table info available.
#1  0xb752cf45 in sip_write (ast=0x0, frame=0x0) at chan_sip.c:5890
       p = (struct sip_pvt *) 0x0
       res = 0
       __PRETTY_FUNCTION__ = "sip_write"
#2  0x00000000 in ?? ()
No symbol table info available.

By: Raivis Rengelis (raivisr) 2010-01-27 03:00:53.000-0600

if that helps anyhow, my provider has Patton SN2400 on their end and this device does not send T38FaxMaxDatagram in SIP dialog.

By: Raivis Rengelis (raivisr) 2010-01-27 11:11:13.000-0600

with following hack I got it running to some extent, at least no more segfaults:

--- asterisk.orig/channels/chan_sip.c 2010-01-27 15:15:20.000000000 +0200
+++ asterisk/channels/chan_sip.c 2010-01-27 16:28:57.000000000 +0200
@@ -5300,6 +5300,18 @@ static void change_t38_state(struct sip_
if (!chan)
return;

+ /* if remote end did not send their T38FaxMaxDatagram,
+ * set it to configured value
+ */
+ if (state == T38_PEER_REINVITE || state == T38_ENABLED)
+ {
+ if (ast_udptl_get_far_max_datagram(p->udptl) == -1)
+ {
+ ast_udptl_set_far_max_datagram(p->udptl, p->t38_maxdatagram);
+ ast_log(LOG_WARNING,"MaxDatagram has not been set, defaulting to %d",p->t38_maxdatagram);
+ }
+ }
+
/* Given the state requested and old state determine what control frame we want to queue up */
if (state == T38_PEER_REINVITE) {
parameters = p->t38.their_parms;

patch is for asterisk svn trunk version and requires maxdatagram option to be set either in sip general or for specific peer.

By: Trevor Peirce #2 (digitalc) 2010-01-27 21:47:22.000-0600

raivisr,

I can confirm that your hack solves the crashing with 1.6.1.13.  Thanks.

By: Leif Madsen (lmadsen) 2010-01-28 10:15:02.000-0600

OK, marking this as private now that it is assigned to dvossel. This is definitely a duplicate of the other open issues, which are currently being worked on by dvossel as this is considered a security issue.

By: Digium Subversion (svnbot) 2010-02-02 16:27:25.000-0600

Repository: asterisk
Revision: 244443

U   trunk/channels/chan_sip.c
U   trunk/include/asterisk/udptl.h
U   trunk/main/udptl.c

------------------------------------------------------------------------
r244443 | dvossel | 2010-02-02 16:27:24 -0600 (Tue, 02 Feb 2010) | 18 lines

fixes crash during T.38 negotiation caused by invalid or missing FaxMaxDatagram field

AST-2010-001

(closes issue ASTERISK-15457)
Reported by: krn

(closes issue ASTERISK-15538)
Reported by: barthpbx

(closes issue ASTERISK-15371)
Reported by: bklang

(closes issue ASTERISK-15343)
Reported by: elsto



------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=244443

By: Digium Subversion (svnbot) 2010-02-02 16:29:38.000-0600

Repository: asterisk
Revision: 244445

_U  branches/1.6.2/
U   branches/1.6.2/channels/chan_sip.c
U   branches/1.6.2/include/asterisk/udptl.h
U   branches/1.6.2/main/udptl.c

------------------------------------------------------------------------
r244445 | dvossel | 2010-02-02 16:29:38 -0600 (Tue, 02 Feb 2010) | 23 lines

Merged revisions 244443 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r244443 | dvossel | 2010-02-02 16:27:23 -0600 (Tue, 02 Feb 2010) | 18 lines
 
 fixes crash during T.38 negotiation caused by invalid or missing FaxMaxDatagram field
 
 AST-2010-001
 
 (closes issue ASTERISK-15457)
 Reported by: krn
 
 (closes issue ASTERISK-15538)
 Reported by: barthpbx
 
 (closes issue ASTERISK-15371)
 Reported by: bklang
 
 (closes issue ASTERISK-15343)
 Reported by: elsto
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=244445

By: Digium Subversion (svnbot) 2010-02-02 16:31:31.000-0600

Repository: asterisk
Revision: 244446

_U  branches/1.6.1/
U   branches/1.6.1/channels/chan_sip.c
U   branches/1.6.1/include/asterisk/udptl.h
U   branches/1.6.1/main/udptl.c

------------------------------------------------------------------------
r244446 | dvossel | 2010-02-02 16:31:30 -0600 (Tue, 02 Feb 2010) | 23 lines

Merged revisions 244443 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r244443 | dvossel | 2010-02-02 16:27:23 -0600 (Tue, 02 Feb 2010) | 18 lines
 
 fixes crash during T.38 negotiation caused by invalid or missing FaxMaxDatagram field
 
 AST-2010-001
 
 (closes issue ASTERISK-15457)
 Reported by: krn
 
 (closes issue ASTERISK-15538)
 Reported by: barthpbx
 
 (closes issue ASTERISK-15371)
 Reported by: bklang
 
 (closes issue ASTERISK-15343)
 Reported by: elsto
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=244446

By: Digium Subversion (svnbot) 2010-02-02 16:32:57.000-0600

Repository: asterisk
Revision: 244447

_U  branches/1.6.0/
U   branches/1.6.0/channels/chan_sip.c
U   branches/1.6.0/include/asterisk/udptl.h
U   branches/1.6.0/main/udptl.c

------------------------------------------------------------------------
r244447 | dvossel | 2010-02-02 16:32:56 -0600 (Tue, 02 Feb 2010) | 23 lines

Merged revisions 244443 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r244443 | dvossel | 2010-02-02 16:27:23 -0600 (Tue, 02 Feb 2010) | 18 lines
 
 fixes crash during T.38 negotiation caused by invalid or missing FaxMaxDatagram field
 
 AST-2010-001
 
 (closes issue ASTERISK-15457)
 Reported by: krn
 
 (closes issue ASTERISK-15538)
 Reported by: barthpbx
 
 (closes issue ASTERISK-15371)
 Reported by: bklang
 
 (closes issue ASTERISK-15343)
 Reported by: elsto
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=244447