ASTERISK-18135: removal of a specific extension that happens to be a prefix of another extension causes memory corruption

[Home]

Summary: ASTERISK-18135: removal of a specific extension that happens to be a prefix of another extension causes memory corruption

Reporter: Jaco Kroon (jkroon) Labels:

Date Opened: 2011-07-13 17:58:13 Date Closed: 2011-10-31 11:00:46

Priority: Major Regression?

Status: Closed/Complete Components: PBX/General

Versions: 1.8.5.0 Frequency of
Occurrence Frequent

Related
Issues:

Environment: Attachments: ( 0) ast-1.8.5.0-pbx_exten_honor_findonly.patch

Description: I make use of regcontext in iax.conf and sip.conf, and one of my usernames on iax/2 happens to be a prefix of another username. Specifically I use "uls" for connecting my office PBX to our core systems, and then use uls-st- as a prefix for other trunks.

Simplest way to reproduce is to create the following extensions.conf context:

[regtrunks]
exten => ulsfoobob,1,NoOP()

and this is from iax.conf:

regcontext=regtrunks

register => uls:pass@localhost

[uls]
type=friend
context=whatever
secret=pass
username=ulsvoip
host=dynamic
qualify=yes

Now start up asterisk, everything will be OK initially, as soon as one executes "iax2 unregister uls" then the following will pop up:

[Jul 14 00:45:19] WARNING[28248]: pbx.c:2044 add_exten_to_pattern_tree: Found duplicate exten. Had uls found uls
[Jul 14 00:45:37] WARNING[28249]: pbx.c:5411 ast_context_remove_extension_callerid2: Cannot find extension uls in root_table in context uls-trunks

The line lines shortly after 2044 goes and replaces the extension in spite of findonly being set on the call to add_exten_to_pattern_tree from ast_context_remove_extension_callerid2.

From here things gets progressively worse:

-- Registered IAX2 'uls' (AUTHENTICATED) at 127.0.0.1:4569
[Jul 14 00:45:58] WARNING[28250]: pbx.c:2044 add_exten_to_pattern_tree: Found duplicate exten. Had 3 found uls
-- Added extension 'uls' priority 1 to uls-trunks

and then ...

[Jul 14 00:46:18] WARNING[28247]: pbx.c:2044 add_exten_to_pattern_tree: Found duplicate exten. Had uls found uls
-- Registered IAX2 'uls' (AUTHENTICATED) at 127.0.0.1:4569
[Jul 14 00:46:48] WARNING[28242]: pbx.c:2044 add_exten_to_pattern_tree: Found duplicate exten. Had 3 found uls
-- Added extension 'uls' priority 1 to uls-trunks
[Jul 14 00:47:08] WARNING[28249]: pbx.c:2044 add_exten_to_pattern_tree: Found duplicate exten. Had uls found uls
-- Registered IAX2 'uls' (AUTHENTICATED) at 127.0.0.1:4569
[Jul 14 00:47:38] WARNING[28246]: pbx.c:2044 add_exten_to_pattern_tree: Found duplicate exten. Had 1 found uls
-- Added extension 'uls' priority 1 to uls-trunks
[Jul 14 00:47:58] WARNING[28250]: pbx.c:2044 add_exten_to_pattern_tree: Found duplicate exten. Had uls found uls
-- Registered IAX2 'uls' (AUTHENTICATED) at 127.0.0.1:4569
[Jul 14 00:48:28] WARNING[28248]: pbx.c:2044 add_exten_to_pattern_tree: Found duplicate exten. Had °l- found uls
-- Added extension 'uls' priority 1 to uls-trunks

Valgrind moans about access to memory that has been freed:

==12398== Thread 26:
==12398== Invalid read of size 8
==12398== at 0x4EF63D: add_exten_to_pattern_tree (pbx.c:2044)
==12398== by 0x4FD796: ast_add_extension2_lockopt (pbx.c:8233)
==12398== by 0x4FDBB1: ast_add_extension (pbx.c:8132)
==12398== by 0x10E0CD16: register_peer_exten (chan_iax2.c:8542)
==12398== by 0x10E3481E: update_registry (chan_iax2.c:8722)
==12398== by 0x10E3BFF1: socket_process (chan_iax2.c:11207)
==12398== by 0x10E403E1: iax2_process_thread (chan_iax2.c:11642)
==12398== by 0x53F19A: dummy_start (utils.c:1004)
==12398== by 0x6177C19: start_thread (pthread_create.c:301)
==12398== Address 0x14018530 is 0 bytes inside a block of size 130 free'd
==12398== at 0x4C2614D: free (vg_replace_malloc.c:366)
==12398== by 0x4F3D3E: ast_context_remove_extension_callerid2 (pbx.c:5043)
==12398== by 0x4F907C: ast_context_remove_extension (pbx.c:5307)
==12398== by 0x10E0CD7C: register_peer_exten (chan_iax2.c:8545)
==12398== by 0x10E217DD: __expire_registry (chan_iax2.c:8591)
==12398== by 0x10E3FF69: iax2_process_thread (chan_iax2.c:11649)
==12398== by 0x53F19A: dummy_start (utils.c:1004)
==12398== by 0x6177C19: start_thread (pthread_create.c:301)

That particular block of memory is accessed a few times shortly hereafter and that explodes eventually, in my case in one of the vsprintf calls that makes use of the exten to print an error message.

The root cause of the problem is most likely that somewhere the ->exten in the tree does NOT get set to NULL correctly. The above trace (in spite of DONT_OPTIMIZE being set) still seems to inline one or two functions which makes this harder to track.

Comments: By: Jaco Kroon (jkroon) 2011-07-13 18:34:42.833-0500

This patch causes add_exten_to_pattern_tree to honor findonly even in the case where the looked up exten is a prefix of another. This makes valgrind happy and I can no longer reproduce the garbled output by alternating between "iax2 reload" and "iax2 unregister uls".

The patch includes an update to the log messages as well, which will refrain from dereferencing ->exten if ->deleted is set (this would have prevented the two crashes I saw on this today).
By: Henry Fernandes (usinternet) 2011-08-18 11:37:46.723-0500

I just wanted to let you know that I am experiencing a similar bug with 1.8.5.0 and this patch (ast-1.8.5.0-pbx_exten_honor_findonly.patch) fixed it for me.

We experienced our error when adding extensions to the dialplan and an extension matched to a previously added extension.
{{dialplan add extension henrytest-user2_soft,hint,SIP/henrytest-testsoftphone into blf replace}}
{{dialplan add extension henrytest-user2,hint,SIP/henrytest-user2_softphone into blf replace}}

We would get the following error:
{{WARNING pbx.c: Found duplicate exten. Had henrytest-user2 found henrytest-user2}}
{{ERROR pbx.c: Trying to delete an exten from a context, but the pattern tree node returned isn't an extension}}

By: Kristijan Vrban (vrban) 2011-08-31 02:20:30.479-0500

hello, i have seen the same error/warning messages while using dialplan add / dialplan remove (like henry, i also use dialplan add, to add hints dynamic into the diaplan)
By: Matt Jordan (mjordan) 2011-10-14 15:07:47.913-0500

Patch has been reviewed and submitted for community approval on Review Board.