Closed pragmatrix closed 2 years ago
please provide a backtrace of all threads and reopen this issue once it’s attached. this kind of issue can’t be reviewed without that info
We don't have that backtrace now. We have to wait for another crash.
this kind of issue can’t be reviewed without that info
I disagree. The code path is fairly obvious from the log, and the memcpy
above can't handle a Rx of size 3 and will most likely lead to UB. Building a test case should be fairly simple for someone accustomed with the code. I'll try my best as soon I've time for that.
Hi, one of our FreeSWITCH machines recently deadlocked or livelocked. No connections to the Event Socket port 8021 were accepted anymore and after a superficial analysis we are suspecting a bug in spandsp because the last line in the log indicates that a fax ECM frame was received of 3 bytes in length, which in turn caused a call to a
memcpy
withlen == -1
.Here are the last few log entries:
The code in
t30.c
I suspect caused the problem:https://github.com/freeswitch/spandsp/blob/284fe91dd068d0cf391139110fdc2811043972b9/src/t30.c#L3589-L3590
And the full spandsp related log:
spandsp-error.log
FreeSWITCH version was most likely version 1.10.6.. We are not 100% sure, because we have updated it to 1.10.7 right before reinstating the server again.