[Home]

Summary:ASTERISK-27225: Crash when freeing dtls_cfg->cafile
Reporter:Richard Kenner (kenner)Labels:
Date Opened:2017-08-27 21:21:09Date Closed:2017-09-05 12:02:47
Priority:MajorRegression?Yes
Status:Closed/CompleteComponents:Core/RTP
Versions:14.6.0 Frequency of
Occurrence
One Time
Related
Issues:
Environment:CentOS 7Attachments:
Description:I got a crash in free() from:

{noformat}
#4  0x000000000059f1b0 in ast_rtp_dtls_cfg_free (
   dtls_cfg=dtls_cfg@entry=0x1cbd6b8) at rtp_engine.c:2781
2781            ast_free(dtls_cfg->cafile);
(gdb) print dtls_cfg->cafile
$1 = 0x1cbe880 ""
{noformat}

This looks like it's trying to free something that wasn't malloc'ed.
Comments:By: Asterisk Team (asteriskteam) 2017-08-27 21:21:10.575-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Joshua C. Colp (jcolp) 2017-08-28 05:36:49.413-0500

We need more information than this. Do you have a full backtrace? Is it occurring constantly? If you resolve the error it is referencing does it go away?

By: Richard Kenner (kenner) 2017-08-28 06:52:47.939-0500

I'm setting up Asterisk on a new server and don't plan to resolve the error (which is in the other issue) any time soon.  This was a one-shot crash, but I can't deploy this live until each crash has been understood and resolved.

The full traceback is:

{noformat}
#3  0x00007ff2bf76b503 in _int_free () from /lib64/libc.so.6
#4  0x000000000059f1b0 in ast_rtp_dtls_cfg_free (
   dtls_cfg=dtls_cfg@entry=0x1cbd6b8) at rtp_engine.c:2781
#5  0x00007ff240b20f3a in build_peer (name=name@entry=0x7ff234027430 "4170",
   v_head=0x7ff234027560, alt=alt@entry=0x0, devstate_only=0, realtime=0)
   at chan_sip.c:31392
#6  0x00007ff240b28000 in reload_config (reason=<optimized out>)
   at chan_sip.c:33247
#7  0x00007ff240b2d13a in sip_do_reload (reason=<optimized out>)
   at chan_sip.c:34023
#8  do_monitor (data=data@entry=0x0) at chan_sip.c:29655
#9  0x00000000005f90da in dummy_start (data=<optimized out>) at utils.c:1233
{noformat}

And:

{noformat}
(gdb) print peer->dtls_cfg
$1 = {enabled = 1, rekey = 0, default_setup = AST_RTP_DTLS_SETUP_ACTPASS,
 suite = AST_AES_CM_128_HMAC_SHA1_80, hash = AST_RTP_DTLS_HASH_SHA256,
 verify = AST_RTP_DTLS_VERIFY_NONE, certfile = 0x0, pvtfile = 0x0,
 cipher = 0x0, cafile = 0x1cbe880 "", capath = 0x1cbe8a0 ""}
{noformat}

Doing another "sip reload" doesn't cause a crash.

And when I inspect the code,  I can't find a place where cafile and capath are set to anything other than NULL or the result of ast_strdup, so this is indeed a mystery.


By: Richard Kenner (kenner) 2017-08-29 14:51:08.640-0500

I just had another occurrence of this crash.  It occurred after a "sip reload".  It doesn't occur after every "sip reload", but did another time.  This still had a condition where "cafile" wasn't found.

And I think I see the bug.  We have this code, where I've remove details for clarify:
{noformat}
               ast_free(dtls_cfg->cafile);
               if (...) {
                       ast_log(...);
                       return -1;
               }
               dtls_cfg->cafile = ast_strdup(value);
{noformat}
Don't we have to clear dtls_cfg->cafile after freeing it to prevent a double free if the code returns?

By: Joshua C. Colp (jcolp) 2017-08-29 15:03:11.128-0500

Yes, if that structure is reused then it could cause a problem in that scenario.

By: Friendly Automation (friendly-automation) 2017-09-05 06:24:03.645-0500

Change 6380 merged by Jenkins2:
rtp_engine: Prevent possible double free with DTLS config

[https://gerrit.asterisk.org/6380|https://gerrit.asterisk.org/6380]

By: Friendly Automation (friendly-automation) 2017-09-05 06:35:12.466-0500

Change 6382 merged by Joshua Colp:
rtp_engine: Prevent possible double free with DTLS config

[https://gerrit.asterisk.org/6382|https://gerrit.asterisk.org/6382]

By: Friendly Automation (friendly-automation) 2017-09-05 06:39:04.091-0500

Change 6381 merged by Jenkins2:
rtp_engine: Prevent possible double free with DTLS config

[https://gerrit.asterisk.org/6381|https://gerrit.asterisk.org/6381]

By: Friendly Automation (friendly-automation) 2017-09-05 06:43:22.280-0500

Change 6383 merged by Joshua Colp:
rtp_engine: Prevent possible double free with DTLS config

[https://gerrit.asterisk.org/6383|https://gerrit.asterisk.org/6383]