Summary: | ASTERISK-27225: Crash when freeing dtls_cfg->cafile | ||
Reporter: | Richard Kenner (kenner) | Labels: | |
Date Opened: | 2017-08-27 21:21:09 | Date Closed: | 2017-09-05 12:02:47 |
Priority: | Major | Regression? | Yes |
Status: | Closed/Complete | Components: | Core/RTP |
Versions: | 14.6.0 | Frequency of Occurrence | One Time |
Related Issues: | |||
Environment: | CentOS 7 | Attachments: | |
Description: | I got a crash in free() from:
{noformat} #4 0x000000000059f1b0 in ast_rtp_dtls_cfg_free ( dtls_cfg=dtls_cfg@entry=0x1cbd6b8) at rtp_engine.c:2781 2781 ast_free(dtls_cfg->cafile); (gdb) print dtls_cfg->cafile $1 = 0x1cbe880 "" {noformat} This looks like it's trying to free something that wasn't malloc'ed. | ||
Comments: | By: Asterisk Team (asteriskteam) 2017-08-27 21:21:10.575-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Joshua C. Colp (jcolp) 2017-08-28 05:36:49.413-0500 We need more information than this. Do you have a full backtrace? Is it occurring constantly? If you resolve the error it is referencing does it go away? By: Richard Kenner (kenner) 2017-08-28 06:52:47.939-0500 I'm setting up Asterisk on a new server and don't plan to resolve the error (which is in the other issue) any time soon. This was a one-shot crash, but I can't deploy this live until each crash has been understood and resolved. The full traceback is: {noformat} #3 0x00007ff2bf76b503 in _int_free () from /lib64/libc.so.6 #4 0x000000000059f1b0 in ast_rtp_dtls_cfg_free ( dtls_cfg=dtls_cfg@entry=0x1cbd6b8) at rtp_engine.c:2781 #5 0x00007ff240b20f3a in build_peer (name=name@entry=0x7ff234027430 "4170", v_head=0x7ff234027560, alt=alt@entry=0x0, devstate_only=0, realtime=0) at chan_sip.c:31392 #6 0x00007ff240b28000 in reload_config (reason=<optimized out>) at chan_sip.c:33247 #7 0x00007ff240b2d13a in sip_do_reload (reason=<optimized out>) at chan_sip.c:34023 #8 do_monitor (data=data@entry=0x0) at chan_sip.c:29655 #9 0x00000000005f90da in dummy_start (data=<optimized out>) at utils.c:1233 {noformat} And: {noformat} (gdb) print peer->dtls_cfg $1 = {enabled = 1, rekey = 0, default_setup = AST_RTP_DTLS_SETUP_ACTPASS, suite = AST_AES_CM_128_HMAC_SHA1_80, hash = AST_RTP_DTLS_HASH_SHA256, verify = AST_RTP_DTLS_VERIFY_NONE, certfile = 0x0, pvtfile = 0x0, cipher = 0x0, cafile = 0x1cbe880 "", capath = 0x1cbe8a0 ""} {noformat} Doing another "sip reload" doesn't cause a crash. And when I inspect the code, I can't find a place where cafile and capath are set to anything other than NULL or the result of ast_strdup, so this is indeed a mystery. By: Richard Kenner (kenner) 2017-08-29 14:51:08.640-0500 I just had another occurrence of this crash. It occurred after a "sip reload". It doesn't occur after every "sip reload", but did another time. This still had a condition where "cafile" wasn't found. And I think I see the bug. We have this code, where I've remove details for clarify: {noformat} ast_free(dtls_cfg->cafile); if (...) { ast_log(...); return -1; } dtls_cfg->cafile = ast_strdup(value); {noformat} Don't we have to clear dtls_cfg->cafile after freeing it to prevent a double free if the code returns? By: Joshua C. Colp (jcolp) 2017-08-29 15:03:11.128-0500 Yes, if that structure is reused then it could cause a problem in that scenario. By: Friendly Automation (friendly-automation) 2017-09-05 06:24:03.645-0500 Change 6380 merged by Jenkins2: rtp_engine: Prevent possible double free with DTLS config [https://gerrit.asterisk.org/6380|https://gerrit.asterisk.org/6380] By: Friendly Automation (friendly-automation) 2017-09-05 06:35:12.466-0500 Change 6382 merged by Joshua Colp: rtp_engine: Prevent possible double free with DTLS config [https://gerrit.asterisk.org/6382|https://gerrit.asterisk.org/6382] By: Friendly Automation (friendly-automation) 2017-09-05 06:39:04.091-0500 Change 6381 merged by Jenkins2: rtp_engine: Prevent possible double free with DTLS config [https://gerrit.asterisk.org/6381|https://gerrit.asterisk.org/6381] By: Friendly Automation (friendly-automation) 2017-09-05 06:43:22.280-0500 Change 6383 merged by Joshua Colp: rtp_engine: Prevent possible double free with DTLS config [https://gerrit.asterisk.org/6383|https://gerrit.asterisk.org/6383] |