[Freeswitch-dev] origin/master's HEAD is segfaulting

Sat Jun 22 18:03:53 MSD 2013

Hi,

I'm on this commit :
arif at khost:~/src/freeswitch$ git show HEAD
commit f8122e39c51240b99bf07a767afe2f8a698f1486

Now its segfaulting on startup.

>From generated core :

Program terminated with signal 11, Segmentation fault.
#0  0x00007f245cc28df1 in su_casematch (s1=0x7f245cc7fc57 "",
    s2=0x3000000030 <Address 0x3000000030 out of bounds>) at su_string.c:224
224        unsigned char a = *s1++, b = *s2++;

Clearly s2 is wrongly initialized.

The backtrace :

(gdb) bt
#0  0x00007f245cc28df1 in su_casematch (s1=0x7f245cc7fc57 "",
    s2=0x3000000030 <Address 0x3000000030 out of bounds>) at su_string.c:224
#1  0x00007f245cc377ff in tport_server_addrinfo (mr=0x7f243c003c30,
    canon=0x7f243c003bfe "[::1]", family=0, host=0x7f245c958670 "::1",
    service=0x7f243c003c04 "5060", protocol=0x7f245cc7fc56 "*",
    transports=0x7f245c9589c0, return_addrinfo=0x7f245c958608) at tport.c:1814
#2  0x00007f245cc370a1 in tport_bind_server (mr=0x7f243c003c30,
    tpn=0x7f245c958770, transports=0x7f245c9589c0, public=tport_type_local,
    tags=0x7f245c958730) at tport.c:1652
#3  0x00007f245cc36762 in tport_tbind (self=0x7f243c003c30,
    tpn=0x7f245c958a50, transports=0x7f245c9589c0,
    tag=0x7f245cecae20 <tptag_ident>, value=139794152182707) at tport.c:1524
#4  0x00007f245cb8882d in nta_agent_add_tport (self=0x7f243c001e40,
    uri=0x7f24400099c0, tag=0x7f245cecae20 <tptag_ident>,
    value=139794152182707) at nta.c:2237
#5  0x00007f245cbc4e71 in nua_stack_init_transport (nua=0x7f2440007970,
    tags=0x7f24400098f0) at nua_register.c:1216
#6  0x00007f245cbd6b6b in nua_stack_init (root=0x7f243c001130,
    nua=0x7f2440007970) at nua_stack.c:194
#7  0x00007f245cc24441 in su_pthread_port_clone_main (varg=0x7f245c9d03d0)
    at su_pthread_port.c:340
#8  0x00007f2460ffae9a in start_thread ()
   from /lib/x86_64-linux-gnu/libpthread.so.0
---Type <return> to continue, or q <return> to quit---
#9  0x00007f2460d27ccd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x0000000000000000 in ?? ()

In tport_server_addrinfo() :

(gdb) list tport_server_addrinfo
...
1800                  char const * const transports[],
...
...
1811      for (i = 0, N = 0; transports[i] && N < TPORT_N; i++) {
1812        su_addrinfo_t *ai = &hints[N];
1813   
1814        if (!su_casematch(protocol, transports[i]) && !su_strmatch(protocol, "*"))

So char const * const transports[] is not correctly initialized before using its values in the for loop.

(gdb) p transports[0]
$3 = 0x3000000030 <Address 0x3000000030 out of bounds>
(gdb) p transports[1]
$4 = 0x7f245c958d00 "`\215\225\\$\177"

So transports[0] is the problematic initialization here.

Going back further, in libs/sofia-sip/libsofia-sip-ua/nta/nta.c: 2150

   char const * const * tports = tports_sip;

And here

(gdb) ptype tports_sip
type = const char * const[5]
(gdb) p tports_sip[0]
$6 = 0x7f245cc7fc38 "udp"
(gdb) p tports[0]
$7 = 0x3000000030 <Address 0x3000000030 out of bounds>
(gdb) ptype tports_sip
type = const char * const[5]
(gdb) p tports
$11 = (const char * const *) 0x7f245c9589c0
(gdb) p &tports_sip
$12 = (const char * const(*)[5]) 0x7f245cebf660 <tports_sip>

As it can be seen, tports diverged from initial tports_sip.
It has been done in following snippet :

 2197       if (strchr(tp, ',')) {
 2198                   int i; char *t, *tps[9] = {0};
 2199
 2200         /* Split tp into transports */
 2201         for (i = 0, t = tp; t && i < 8; i++) {
 2202           tps[i] = t;
 2203           if ((t = strchr(t, ',')))
 2204             *t++ = '\0';
 2205         }
 2206
 2207         tps[i] = NULL;
 2208         tports = (char const * const *)tps;

Now :

(gdb) p tp
$20 =   "udp\000tcp\000H\215\225\\$\177\000\000\240\252\354\\"..

So above code should parse "udp" in tports[0]. Which is not the case here.

I'm assuming this bug has to generated from a more higher level, rather than happened in a file which has not been touched since 2006( I git blamed it).

But bt does not have any calls to "non-sofia" stuff.

This su_casematch() was called from two threads,

  4    Thread 0x7f245eccb700 (LWP 7622) 0x00007f245cc28df1 in su_casematch (
    s1=0x7f245cc7fc57 "", s2=0x3000000030 <Address 0x3000000030 out of bounds>)
    at su_string.c:224

* 1    Thread 0x7f245c959700 (LWP 7623) 0x00007f245cc28df1 in su_casematch (
    s1=0x7f245cc7fc57 "", s2=0x3000000030 <Address 0x3000000030 out of bounds>)
    at su_string.c:224

Both calls to su_casematch seems problematic.

Sorry for a long BUGREPORT. Actually i thought i should post  my investigation if it helps the devs(After git blaming, i highly suspect that my investigation unearthed nothing , problem generated from elsewhere, which i could not find).

I've not started git bisecting. If it helps, i will be happy to do that.

-- 
Cheers
arif 		 	   		  