500504 – net-misc/asterisk-11.7.0 - Crash when faxing SIP to SIP with strictrtp set to yes

Bug 500504 - net-misc/asterisk-11.7.0 - Crash when faxing SIP to SIP with strictrtp set to yes

Summary: net-misc/asterisk-11.7.0 - Crash when faxing SIP to SIP with strictrtp set to...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Tony Vroon (RETIRED)

URL:	https://issues.asterisk.org/jira/brow...
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2014-02-06 10:57 UTC by Jaco Kroon
Modified:	2014-02-06 16:48 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jaco Kroon 2014-02-06 10:57:46 UTC

Under some conditions the asterisk fax code causes spandsp to crash.  In my case this is because g729 data is being passed off to spandsp from what I do understand of the situation.

Patch available at the bug report and from a quick glance should fix the issue, but I need to rig a test to confirm.

Specific patch at https://issues.asterisk.org/jira/secure/attachment/49214/spandsp_g711decode.diff

My backtrace looks like:

#0  process_rx_data (t=0x7fae54c698a8, user_data=0x2, data_type=1, field_type=<optimized out>, buf=0x7fae11c58cda "cng", len=0) at t38_terminal.c:314
#1  0x00007fae11c22c7d in t38_core_rx_ifp_packet (s=0x7fae54c698a8, buf=0x7fae54c8475b "\002", len=1, seq_no=<optimized out>) at t38_core.c:459
#2  0x00007fae50ea96c5 in generic_fax_exec (chan=chan@entry=0x7fadc4548c18, details=details@entry=0x7fad50602c28, reserved=reserved@entry=0x7fad50155478, token=<optimized out>) at res_fax.c:1498
#3  0x00007fae50eaea9e in receivefax_exec (chan=0x7fadc4548c18, data=<optimized out>) at res_fax.c:1932
#4  0x0000000000530fdd in pbx_exec (c=c@entry=0x7fadc4548c18, app=app@entry=0x2ddca60, data=data@entry=0x7fad838b6cd0 "/tmp/morpheus-1391681512.850.tiff") at pbx.c:1622
#5  0x000000000053656f in pbx_extension_helper (c=c@entry=0x7fadc4548c18, context=<optimized out>, exten=exten@entry=0x7fadc4549ab8 "0123489251", priority=priority@entry=6, label=label@entry=0x0, callerid=callerid@entry=0x7fadc44757b0 "0126413300", action=action@entry=E_SPAWN, found=found@entry=0x7fad838bad60, 
    combined_find_spawn=combined_find_spawn@entry=1, con=0x0) at pbx.c:4922
#6  0x00000000005404a4 in ast_spawn_extension (found=0x7fad838bad60, callerid=0x7fadc44757b0 "0126413300", priority=6, exten=0x7fadc4549ab8 "0123489251", context=<optimized out>, c=0x7fadc4548c18, combined_find_spawn=<optimized out>) at pbx.c:6038
#7  __ast_pbx_run (c=c@entry=0x7fadc4548c18, args=args@entry=0x0) at pbx.c:6513
#8  0x0000000000541c0b in pbx_thread (data=data@entry=0x7fadc4548c18) at pbx.c:6843
#9  0x0000000000587c5a in dummy_start (data=<optimized out>) at utils.c:1162
#10 0x00007fae530f2f3a in start_thread (arg=0x7fad838bb700) at pthread_create.c:308
#11 0x00007fae54754dad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Which however, does NOT match the patch, however, the discussion on asterisk seems to imply that the visibility of the patch and the effect isn't in the same place.

Reproducible: Always

Comment 1 Tony Vroon (RETIRED) gentoo-dev

2014-02-06 16:48:04 UTC

+*asterisk-11.7.0-r1 (06 Feb 2014)
+
+  06 Feb 2014; Tony Vroon <chainsaw@gentoo.org> +asterisk-11.7.0-r1.ebuild:
+  Stop blowing up the V21 tone detector in SpanDSP by sanitising the input data
+  properly. Patch by Michal Rybarik scavenged from an upstream bug report by
+  Jaco Kroon. Closes bug #500504.