ASTERISK-22432: Async AGI crashes Asterisk when issuing "set variable" command without args

[Home]

Summary: ASTERISK-22432: Async AGI crashes Asterisk when issuing "set variable" command without args

Reporter: Antoine Pitrou (pitrou) Labels:

Date Opened: 2013-08-30 09:47:48 Date Closed: 2017-05-25 14:45:40

Priority: Major Regression?

Status: Closed/Complete Components: Resources/res_agi

Versions: Frequency of
Occurrence Constant

Related
Issues:

Environment: Fresh install of squeeze-xivo-skaro-13.16.iso Attachments:

Description: Banner is the following:
11.5.0+pf.xivo.13.16~20130722.141054.2668289,

Actions to reproduce: open an AMI session using telnet, trigger an async AGI session and then type:
{noformat}
action: agi
actionid: FOOBAR.568
CommandID: 124
command: set variable
Channel: <AGI channel name>

Response: Success
ActionID: FOOBAR.568
Message: Added AGI command to queue
{noformat}

At this point Asterisk crashes (the AMI connection is closed).

{noformat}
gdb stack trace:
(gdb) bt
#0 0xb767e073 in strlen () from /lib/libc.so.6
#1 0x0818c754 in pbx_builtin_setvar_helper ()
#2 0xb6e87b57 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#3 0xb6e8d053 in ?? () from /usr/lib/asterisk/modules/res_agi.so
#4 0xb6e8f7dd in ?? () from /usr/lib/asterisk/modules/res_agi.so
#5 0x08184eca in pbx_exec ()
#6 0x081916a6 in ?? ()
#7 0x08199087 in ?? ()
#8 0x0819b390 in ?? ()
#9 0x081e222b in ?? ()
#10 0xb72937b0 in start_thread () from /lib/libpthread.so.0
#11 0xb76d6cde in clone () from /lib/libc.so.6
{noformat}

I've made a SVN checkout of Asterisk and identified the likely cause of the problem:

in res/res_agi.c, handle_setvariable() calls pbx_builtin_setvar_helper(chan, argv[2], argv[3]).
However, if "set variable" is called with too few arguments, argv[2] and argv[3] may be unitialized.
Then pbx_builtin_setvar_helper() calls strlen(argv[2]) and crashes.

Comments: By: Friendly Automation (friendly-automation) 2017-05-25 14:45:41.437-0500

Change 5700 merged by Jenkins2:
res_agi: Prevent crash when SET VARIABLE called without arguments

[https://gerrit.asterisk.org/5700|https://gerrit.asterisk.org/5700]
By: Friendly Automation (friendly-automation) 2017-05-25 20:38:09.468-0500

Change 5701 merged by Jenkins2:
res_agi: Prevent crash when SET VARIABLE called without arguments

[https://gerrit.asterisk.org/5701|https://gerrit.asterisk.org/5701]
By: Friendly Automation (friendly-automation) 2017-05-26 07:13:47.435-0500

Change 5702 merged by George Joseph:
res_agi: Prevent crash when SET VARIABLE called without arguments

[https://gerrit.asterisk.org/5702|https://gerrit.asterisk.org/5702]