Asterisk segfault because of negative datalen in memcpy of ast_frdup in main/frame.c (RTP frame type AST_FRAME_TEXT)

Hi,
I am trying to debug a segfault that happened in asterisk when memcpy is provided with negative datalen in ast_frdup of main/frame.c.
Here frametype was AST_FRAME_TEXT and datalen was -46.

backtrace:

> #0  0x0000003a39c89d00 in memcpy () from /lib64/libc.so.6
> #1  0x000000000052a1ba in ast_frdup ()
> #2  0x00000000004837ce in ast_bridge_channel_queue_frame ()
> #3  0x0000000000483c11 in ast_bridge_queue_everyone_else ()
> #4  0x00007f9464ecb607 in native_rtp_bridge_write (bridge=0x7f924003da00, bridge_channel=0x7f92400317a0, frame=0x7f9434151f38) at bridge_native_rtp.c:897
> #5  0x0000000000482d06 in bridge_channel_write_frame ()
> #6  0x0000000000487a21 in bridge_handle_trip ()
> #7  0x0000000000487e72 in bridge_channel_wait ()
> #8  0x0000000000488576 in bridge_channel_internal_join ()
> #9  0x000000000046e022 in ast_bridge_join ()
> #10 0x000000000051348c in ast_bridge_call_with_flags ()
> #11 0x0000000000513567 in ast_bridge_call ()
> #12 0x00007f946b6391c9 in dial_exec_full (chan=0x7f943419c9c0, data=0x7f9378f10430 "SIP/11233@CiscoSipTrunk,60000,30000", peerflags=0x7f9378f10280, continue_exec=0x0)
>     at app_dial.c:3233
> #13 0x00007f946b63958b in dial_exec (chan=0x7f943419c9c0, data=0x7f9378f10430 "SIP/11233@CiscoSipTrunk,60000,30000") at app_dial.c:3289
> #14 0x0000000000591734 in pbx_exec ()
> #15 0x000000000057dcbf in pbx_extension_helper ()
> #16 0x0000000000581394 in ast_spawn_extension ()
> #17 0x00000000005821a2 in __ast_pbx_run ()
> #18 0x0000000000583bd1 in pbx_thread ()
> #19 0x000000000060c7dc in dummy_start ()
> #20 0x0000003a3a4079d1 in start_thread () from /lib64/libpthread.so.0
> #21 0x0000003a39ce8b6d in clone () from /lib64/libc.so.6

after examining frame 4, I found the following data.

{frametype = AST_FRAME_TEXT, subclass = {integer = 49, format = 0x2b4d898, frame_ending = 0}, datalen = -46, samples = 0, mallocd = 0, mallocd_hdr_len = 0,
  offset = 76, src = 0x7f946e3ce118 "RTP", data = {ptr = 0x7f943415205a, uint32 = 873799770, pad = "Z \025\064\224\177\000"}, delivery = {tv_sec = 0, tv_usec = 0},
  frame_list = {next = 0x0}, flags = 1, ts = 22305779, len = 20, seqno = 17528}

My question is that in what case does asterisk calculate the datalen to be negative or it should never be negative and this might be some bug.

It should never be negative. Are you doing real time text over RTP? What channel driver is in use?

chan_sip is being used as the channel driver.
The use case isn’t of real-time text over RTP (or anything related to text message communication), but the Asterisk is connected to Cisco PBX and this PBX sometime sends some RTP that might be interpreted as AST_FRAME_TEXT.
Also, this segfault doesn’t occur every time ast_frdup receive a frametype 7 (i.e. AST_FRAME_TEXT).

Unfortunately, I do not have the network capture of the time when segfault happened to examine the RTP packets.

But for a normal frametype 7 scenerio the RTP packet seems to be of payload type 106 (dynamic range not defined in the SDP)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.