Hi all,
I came across a problem with one Asterisk server on GNU/Linux (2.6.32-220.23.1.el6.x86_64) and I am wondering if it’s a bug. The server segfaulted and I had a look with gdb. The important parts:
(gdb) backtrace
#0 0x0000003dbad26896 in __strcmp_sse42 () from /lib64/libc.so.6
#1 0x00007f9809ab4008 in add_agent (agent=<value optimized out>, pending=0) at chan_agent.c:462This is where it crashed. Having a look at #1…
(gdb) frame 1
#1 0x00007f9809ab4008 in add_agent (agent=<value optimized out>, pending=0) at
462 if (!pending && !strcmp(p->agent, agt))…it seems that there’s where it goes south. Okay…
(gdb) print pending
$1 = 0…pending is 0, so it goes to the strcmp…
(gdb) print p
$2 = (struct agent_pvt *) 0x2b0
(gdb) print p->agent
Cannot access memory at address 0x38c
(gdb) print agt
$3 = 0x7f980473e8f0 "2392"It cannot access p->agent. This is the code (from doxygen.asterisk.org/asterisk1.8 … ource.html ):
00459 /* Are we searching for the agent here ? To see if it exists already ? */
00460 AST_LIST_TRAVERSE(&agents, p, list) {
00461 if (!pending && !strcmp(p->agent, agt))
00462 break;
00463 }It used to be like this in Asterisk 1.2 ( doxygen.asterisk.org/asterisk1.2 … ource.html ):
00339 // Are we searching for the agent here ? to see if it exists already ?
00340 prev=NULL;
00341 p = agents;
00342 while(p) {
00343 if (!pending && !strcmp(p->agent, agt))
00344 break;
00345 prev = p;
00346 p = p->next;
00347 }This has been changed in 2006: issues.asterisk.org/jira/browse/ASTERISK-6182
I am wondering if this change has broken the check and will crash Asterisk whenever p is 0 and the agent hasn’t been created, yet. Any comment is appreciated!