[Home]

Summary:ASTERISK-15538: coredump on T.38 Session with 1.6.2.1
Reporter:Lorenz Barth (bartpbx)Labels:
Date Opened:2010-01-28 04:29:41.000-0600Date Closed:2010-02-02 16:33:00.000-0600
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Channels/chan_sip/T.38
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:We are currently again evaluation T.38 via Asterisk. We see the following coredump for every t.38 Session:

#0  ast_udptl_write (s=0xb5d5a300, f=0x9af9f28) at udptl.c:1065
1065         len = udptl_build_packet(s, buf, sizeof(buf), f->data.ptr, len);


bt:
#0  ast_udptl_write (s=0xb5d5a300, f=0x9af9f28) at udptl.c:1065
#1  0xb6b4dfa2 in sip_write (ast=0xb60f0c68, frame=0x9af9f28) at chan_sip.c:6291
#2  0x0809dbb8 in ast_write (chan=0xb60f0c68, fr=0x9af9f28) at channel.c:3487
#3  0x08117492 in bridge_p2p_loop (c0=0xb60f0c68, c1=0x98c5410, p0=0xb5d00018, p1=0x99a10b8, timeoutms=-1, flags=<value optimized out>, fo=0xb5f43e78, rc=0xb5f43e74,
   pvt0=0xb5e5ebc8, pvt1=0x99ff440) at rtp.c:4350
#4  0x08120e95 in ast_rtp_bridge (c0=0xb60f0c68, c1=0x98c5410, flags=0, fo=0xb5f43e78, rc=0xb5f43e74, timeoutms=-1) at rtp.c:4554
ASTERISK-1  0x080a20ea in ast_channel_bridge (c0=0xb60f0c68, c1=0x98c5410, config=0xb5f44cfc, fo=0xb5f43e78, rc=0xb5f43e74) at channel.c:5186
ASTERISK-2  0x080c73df in ast_bridge_call (chan=0xb60f0c68, peer=0x98c5410, config=0xb5f44cfc) at features.c:2585
ASTERISK-3  0xb6a6ee6b in dial_exec_full (chan=0xb60f0c68, data=0xb5f46f14, peerflags=0xb5f44e50, continue_exec=0x0) at app_dial.c:2258
ASTERISK-4  0xb6a72bcd in dial_exec (chan=0xb60f0c68, data=0xb5f46f14) at app_dial.c:2342
ASTERISK-5  0x08105457 in pbx_exec (c=0xb60f0c68, app=0xb7b66030, data=0xb5f46f14) at pbx.c:1348
ASTERISK-6 0x08110206 in pbx_extension_helper (c=0xb60f0c68, con=0x0, context=0xb60f0ed8 "local", exten=0xb60f0f28 "<destination>", priority=1, label=0x0, callerid=0xb5e303f0 "<account>",
   action=E_SPAWN, found=0xb5f49348, combined_find_spawn=1) at pbx.c:3706
ASTERISK-7 0x0811257d in __ast_pbx_run (c=0xb60f0c68, args=0x0) at pbx.c:4165
ASTERISK-8 0x08113df0 in pbx_thread (data=0xb60f0c68) at pbx.c:4542
ASTERISK-9 0x081538cb in dummy_start (data=0xb60793e0) at utils.c:968
ASTERISK-10 0xb7dbc4c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
ASTERISK-11 0xb7eb46de in clone () from /lib/i686/cmov/libc.so.6
Comments:By: Raivis Rengelis (raivisr) 2010-01-28 06:19:40.000-0600

Most likely reason is the same as for bug 0016634, remote end does not send T38FaxMaxDatagram attribute in sdp, asterisk does not initialize far_max_datagram to a reasonable value and tries to allocate buffer with -1 bytes.
Please try hack posted on https://issues.asterisk.org/view.php?id=16634

By: Leif Madsen (lmadsen) 2010-01-28 10:06:55.000-0600

I believe this is a duplicate issue of 1 or more currently open issues, so I'm going to close this for now. I've associated the duplicate issues here.

By: Leif Madsen (lmadsen) 2010-01-28 10:14:14.000-0600

OK, marking this as private now that it is assigned to dvossel. This is definitely a duplicate of the other open issues, which are currently being worked on by dvossel as this is considered a security issue.

By: Digium Subversion (svnbot) 2010-02-02 16:27:25.000-0600

Repository: asterisk
Revision: 244443

U   trunk/channels/chan_sip.c
U   trunk/include/asterisk/udptl.h
U   trunk/main/udptl.c

------------------------------------------------------------------------
r244443 | dvossel | 2010-02-02 16:27:24 -0600 (Tue, 02 Feb 2010) | 18 lines

fixes crash during T.38 negotiation caused by invalid or missing FaxMaxDatagram field

AST-2010-001

(closes issue ASTERISK-15457)
Reported by: krn

(closes issue ASTERISK-15538)
Reported by: barthpbx

(closes issue ASTERISK-15371)
Reported by: bklang

(closes issue ASTERISK-15343)
Reported by: elsto



------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=244443

By: Digium Subversion (svnbot) 2010-02-02 16:29:40.000-0600

Repository: asterisk
Revision: 244445

_U  branches/1.6.2/
U   branches/1.6.2/channels/chan_sip.c
U   branches/1.6.2/include/asterisk/udptl.h
U   branches/1.6.2/main/udptl.c

------------------------------------------------------------------------
r244445 | dvossel | 2010-02-02 16:29:38 -0600 (Tue, 02 Feb 2010) | 23 lines

Merged revisions 244443 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r244443 | dvossel | 2010-02-02 16:27:23 -0600 (Tue, 02 Feb 2010) | 18 lines
 
 fixes crash during T.38 negotiation caused by invalid or missing FaxMaxDatagram field
 
 AST-2010-001
 
 (closes issue ASTERISK-15457)
 Reported by: krn
 
 (closes issue ASTERISK-15538)
 Reported by: barthpbx
 
 (closes issue ASTERISK-15371)
 Reported by: bklang
 
 (closes issue ASTERISK-15343)
 Reported by: elsto
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=244445

By: Digium Subversion (svnbot) 2010-02-02 16:31:32.000-0600

Repository: asterisk
Revision: 244446

_U  branches/1.6.1/
U   branches/1.6.1/channels/chan_sip.c
U   branches/1.6.1/include/asterisk/udptl.h
U   branches/1.6.1/main/udptl.c

------------------------------------------------------------------------
r244446 | dvossel | 2010-02-02 16:31:30 -0600 (Tue, 02 Feb 2010) | 23 lines

Merged revisions 244443 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r244443 | dvossel | 2010-02-02 16:27:23 -0600 (Tue, 02 Feb 2010) | 18 lines
 
 fixes crash during T.38 negotiation caused by invalid or missing FaxMaxDatagram field
 
 AST-2010-001
 
 (closes issue ASTERISK-15457)
 Reported by: krn
 
 (closes issue ASTERISK-15538)
 Reported by: barthpbx
 
 (closes issue ASTERISK-15371)
 Reported by: bklang
 
 (closes issue ASTERISK-15343)
 Reported by: elsto
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=244446

By: Digium Subversion (svnbot) 2010-02-02 16:32:58.000-0600

Repository: asterisk
Revision: 244447

_U  branches/1.6.0/
U   branches/1.6.0/channels/chan_sip.c
U   branches/1.6.0/include/asterisk/udptl.h
U   branches/1.6.0/main/udptl.c

------------------------------------------------------------------------
r244447 | dvossel | 2010-02-02 16:32:56 -0600 (Tue, 02 Feb 2010) | 23 lines

Merged revisions 244443 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r244443 | dvossel | 2010-02-02 16:27:23 -0600 (Tue, 02 Feb 2010) | 18 lines
 
 fixes crash during T.38 negotiation caused by invalid or missing FaxMaxDatagram field
 
 AST-2010-001
 
 (closes issue ASTERISK-15457)
 Reported by: krn
 
 (closes issue ASTERISK-15538)
 Reported by: barthpbx
 
 (closes issue ASTERISK-15371)
 Reported by: bklang
 
 (closes issue ASTERISK-15343)
 Reported by: elsto
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=244447