search

pchero / asterisk-zmq

zmq/json support asterisk AMI module. (zeromq, 0MQ)
16 stars 7 forks source link

Core dump due to memory corruption #3

Closed litnimax closed 8 years ago

litnimax commented 8 years ago

Asterisk 13.5.0, using sample scripts like cmd_devicestatelist.py crashes Asterisk. After re-compiling with debug info I can see on the console:

*CLI> [0MQ Manager Debug]: action command. command[Action: Setvar
ActionID: 1
Variable: DEVICE_STATE
Value: SIP/max=UNAVAILABLE
]
  == Setting global variable 'DEVICE_STATE' to 'SIP/max=UNAVAILABLE'
WARNING: Memory corrupted after free of 0x7f05600078a0 allocated at json.c ast_json_malloc() line 140
WARNING: Memory corrupted after free of 0x7f05600099b0 allocated at json.c ast_json_malloc() line 140
[0MQ Manager Debug]: zmq_evt_handler. category[2048], event[VarSet], content[Event: VarSet
Privilege: dialplan,all
Channel: none
Uniqueid: none
WARNING: Memory corrupted after free of 0x7f0560007c60 allocated at json.c ast_json_malloc() line 140
Variable: DEVICE_STATE
Value: SIP/max=UNAVAILABLE
WARNING: Memory corrupted after free of 0x7f056004eed0 allocated at json.c ast_json_malloc() line 140

]
[0MQ Manager Debug]: Check value. tmp_line[Event: VarSet]
[0MQ Manager Debug]: Check value. tmp_line[Privilege: dialplan,all]
[0MQ Manager Debug]: Check value. tmp_line[Channel: none]
[0MQ Manager Debug]: Check value. tmp_line[Uniqueid: none]
[0MQ Manager Debug]: Check value. tmp_line[Variable: DEVICE_STATE]
[0MQ Manager Debug]: Check value. tmp_line[Value: SIP/max=UNAVAILABLE]
[0MQ Manager Debug]: Send event. ret[136], buf[{"Channel":"none","Event":"VarSet","Privilege":"dialplan,all","Uniqueid":"none","Variable":"DEVICE_STATE","Value":"SIP/max=UNAVAILABLE"}]

Any suggestions?

litnimax commented 8 years ago 
Switching to Thread 0x7fffb2499700 (LWP 2828)]
0x00007ffff5716cc9 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) 
(gdb) bt
#0  0x00007ffff5716cc9 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff571a0d8 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff5753394 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff575e0f7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007ffff5760e04 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x00007ffff57632cc in calloc () from /lib/x86_64-linux-gnu/libc.so.6
#6  0x00000000005f6348 in _ast_calloc (num=1, len=9, file=0x66334b "stdtime/localtime.c", lineno=2487, 
    func=0x663610 <__PRETTY_FUNCTION__.9033> "ast_strftime_locale") at /home/max/asterisk/src/asterisk-13.5.0/include/asterisk/utils.h:573
#7  0x00000000005e0351 in ast_strftime_locale (buf=0x7fffb2496120 "\377\377\377\377", len=256, tmp=0x8c0580 <dateformat> "%b %e %T", tm=0x7fffb24960e0, 
    locale=0x0) at stdtime/localtime.c:2487
#8  0x00000000005e05a2 in ast_strftime (buf=0x7fffb2496120 "\377\377\377\377", len=256, tmp=0x8c0580 <dateformat> "%b %e %T", tm=0x7fffb24960e0)
    at stdtime/localtime.c:2558
#9  0x000000000053e022 in ast_log_full (level=5, file=0x7fffbc8b5d24 "src/res_zmq_manager.c", line=578, function=0x7fffbc8b6880 "zmq_cmd_handler", 
    callid=0x0, fmt=0x6474cf "%s", ap=0x7fffb2496288) at logger.c:1728
#10 0x000000000053eb17 in ast_log_callid (level=5, file=0x7fffbc8b5d24 "src/res_zmq_manager.c", line=578, function=0x7fffbc8b6880 "zmq_cmd_handler", 
    callid=0x0, fmt=0x6474cf "%s") at logger.c:1810
#11 0x000000000053eea8 in __ast_verbose_ap (file=0x7fffbc8b5d24 "src/res_zmq_manager.c", line=578, func=0x7fffbc8b6880 "zmq_cmd_handler", level=0, 
    callid=0x0, fmt=0x175f854 "", ap=0x7fffb24963f8) at logger.c:1891
#12 0x000000000053e8cc in ast_log (level=5, file=0x7fffbc8b5d24 "src/res_zmq_manager.c", line=578, function=0x7fffbc8b6880 "zmq_cmd_handler", 
    fmt=0x7fffbc8b63c0 "[0MQ Manager Debug]: action command. command[%s]\n") at logger.c:1765
#13 0x00007fffbc8b554a in zmq_cmd_handler (j_recv=0x13d9368) at src/res_zmq_manager.c:578
#14 0x00007fffbc8b489a in zmq_cmd_thread () at src/res_zmq_manager.c:306
#15 0x00000000005f9685 in dummy_start (data=0x15e0030) at utils.c:1237
#16 0x00007ffff651a182 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#17 0x00007ffff57da47d in clone () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) ```
Ideas?
litnimax commented 8 years ago

I removed DEBUG call from line 578 and now get the following bt:

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffb2499700 (LWP 3187)]
0x00007ffff5716cc9 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff5716cc9 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff571a0d8 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff5753394 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff575e0f7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007ffff5760e04 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x00007ffff57627b0 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
#6  0x00000000005f62cf in _ast_malloc (len=96, file=0x645a2b "json.c", lineno=140, func=0x645d30 <__PRETTY_FUNCTION__.13159> "ast_json_malloc")
    at /home/max/asterisk/src/asterisk-13.5.0/include/asterisk/utils.h:547
#7  0x000000000052fb07 in ast_json_malloc (size=24) at json.c:140
#8  0x00007ffff6d78be8 in json_string_nocheck () from /usr/lib/x86_64-linux-gnu/libjansson.so.4
#9  0x00007ffff6d75e40 in ?? () from /usr/lib/x86_64-linux-gnu/libjansson.so.4
#10 0x00007ffff6d75edf in ?? () from /usr/lib/x86_64-linux-gnu/libjansson.so.4
#11 0x00007ffff6d762de in ?? () from /usr/lib/x86_64-linux-gnu/libjansson.so.4
#12 0x00007ffff6d76586 in json_loadb () from /usr/lib/x86_64-linux-gnu/libjansson.so.4
#13 0x00000000005309fd in ast_json_load_buf (
    buffer=0x13ebb40 "{\"Action\":\"Setvar\",\"Variable\":\"DEVICE_STATE\",\"ActionID\":\"1\",\"Value\":\"SIP/max=UNAVAILABLE\"}", buflen=90, 
    error=0x7fffb2498be0) at json.c:664
#14 0x00007fffbc8b454d in recv_parse (
    msg=0x13ebb40 "{\"Action\":\"Setvar\",\"Variable\":\"DEVICE_STATE\",\"ActionID\":\"1\",\"Value\":\"SIP/max=UNAVAILABLE\"}") at src/res_zmq_manager.c:236
#15 0x00007fffbc8b481b in zmq_cmd_thread () at src/res_zmq_manager.c:296
#16 0x00000000005f9685 in dummy_start (data=0x19044c0) at utils.c:1237
#17 0x00007ffff651a182 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#18 0x00007ffff57da47d in clone () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
litnimax commented 8 years ago

If you comment out 

//ast_json_unref(j_recv);

on line 311 it does not segfault.

pchero commented 8 years ago

Hi,

But, it will be make memory leak.

pchero commented 8 years ago

Also, I found, what was wrong. :) The reason was, it tried to release json object twice..

litnimax commented 8 years ago

Will You fix it?

pchero commented 8 years ago

Sure. :)

pchero commented 8 years ago

Patch submitted. :)