ASTERISK-26926: func_speex: Crash caused by frame with no datalen

[Home]

Summary: ASTERISK-26926: func_speex: Crash caused by frame with no datalen

Reporter: Richard Kenner (kenner) Labels:

Date Opened: 2017-04-07 06:04:20 Date Closed: 2017-04-27 17:30:24

Priority: Minor Regression?

Status: Closed/Complete Components: Functions/func_speex

Versions: 14.3.0 Frequency of
Occurrence

Related
Issues:

Environment: Siren14 (and likely Siren7) Attachments: ( 0) ASTERISK-26926.diff

Description: There is a crash in preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626 due to a frame being passed to func_speex.c looking like:
{noformat}
(gdb) print *frame
$1 = {frametype = AST_FRAME_VOICE, subclass = {integer = 0,
format = 0xe2f9e20, frame_ending = 0}, datalen = 0, samples = 640,
mallocd = 1, mallocd_hdr_len = 232, offset = 64,
src = 0x2ac07413e7f8 "siren14tolin32", data = {ptr = 0x3cab9378,
uint32 = 1017877368, pad = "x\223\253<\000\000\000"}, delivery = {
tv_sec = 1491485582, tv_usec = 407272}, frame_list = {next = 0x0},
flags = 0, ts = 0, len = 0, seqno = 0}
{noformat}

A check for datalen != 0 is missing before the call to speex_preprocess around line 188 of func_speex.c.

This was most recently seen with Siren14, but I believe also occurs less often with Siren7.

Comments: By: Asterisk Team (asteriskteam) 2017-04-07 06:04:21.781-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Rusty Newton (rnewton) 2017-04-11 17:18:09.688-0500

[~kenner] Thanks for the report. If you have access to the a full backtrace, please go ahead and throw it up on here as it helps others when they are searching or looking into the issue.

Also if you want to push a patch into Gerrit to speed things a long..

https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage

Thanks!
By: Richard Kenner (kenner) 2017-04-11 17:28:23.853-0500

Here's the backtrace:
{noformat}
Core was generated by `/usr/sbin/asterisk -f -vvvg -c'.
Program terminated with signal 11, Segmentation fault.
#0 preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626
626 st->frame[N3+i]=x[i];
(gdb) where
#0 preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626
#1 0x00002ac0684ddfb7 in speex_preprocess_run (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:762
#2 0x00002ac06ed0d1d3 in speex_callback (audiohook=<value optimized out>, chan=<value optimized out>, frame=0x2ac07413e730, direction=<value optimized out>) at func_speex.c:189
#3 0x0000000000460293 in audio_audiohook_write_list (chan=0x2ac07413ba98, audiohook_list=0x2ac03c1ec070, direction=AST_AUDIOHOOK_DIRECTION_READ, frame=0x2ac07413e730) at audiohook.c:1040
#4 0x00000000004bb84d in __ast_read (chan=0x2ac07413ba98, dropaudio=0) at channel.c:4302
#5 0x000000000047b9d9 in bridge_handle_trip (bridge_channel=0x2ac03c810388) at bridge_channel.c:2435
#6 bridge_channel_wait (bridge_channel=0x2ac03c810388) at bridge_channel.c:2615
#7 0x000000000047c888 in bridge_channel_internal_join (bridge_channel=0x2ac03c810388) at bridge_channel.c:2761
#8 0x0000000000468a18 in ast_bridge_join (bridge=0xfa10c88, chan=0x2ac07413ba98, swap=0x0, features=0x2ac06fe777a8, tech_args=<value optimized out>, flags=<value optimized out>) at bridge.c:1714
#9 0x00002ac05576afde in confbridge_exec (chan=0x2ac07413ba98, data=<value optimized out>) at app_confbridge.c:2374
{noformat}

By: Joshua C. Colp (jcolp) 2017-04-12 08:02:17.420-0500

Just noting for when this gets worked: The codec modules should be updated to ensure that the frame does not contain a bogus data pointer.
By: Joshua C. Colp (jcolp) 2017-04-26 11:12:51.992-0500

This is a patch which should resolve the problem without needing a new codec_siren7 or codec_siren14. Can you apply this and see if it resolves the problem for you?
By: Richard Kenner (kenner) 2017-04-26 14:36:49.879-0500

Unfortunately, this is a very intermittent issue that I can't reliably reproduce. Worse, because of the previous crashes, the people here have lost confidence in Asterisk and no longer want to use it for conferencing, so there won't even be much usage to potentially generate the test cases for it. Sorry about that, but that's what happens when new releases pick up catastrophic failures like this. I believe that this patch does fix it, though.
By: Joshua C. Colp (jcolp) 2017-04-26 14:38:45.843-0500

Understood, the patch is up for review so it will be going in.
By: Friendly Automation (friendly-automation) 2017-04-27 17:30:25.438-0500

Change 5540 merged by Jenkins2:
frame: Better handle interpolated frames.

[https://gerrit.asterisk.org/5540|https://gerrit.asterisk.org/5540]
By: Friendly Automation (friendly-automation) 2017-04-27 17:37:08.894-0500

Change 5538 merged by Jenkins2:
frame: Better handle interpolated frames.

[https://gerrit.asterisk.org/5538|https://gerrit.asterisk.org/5538]
By: Friendly Automation (friendly-automation) 2017-04-27 17:43:22.001-0500

Change 5539 merged by Jenkins2:
frame: Better handle interpolated frames.

[https://gerrit.asterisk.org/5539|https://gerrit.asterisk.org/5539]