asterisk users - Jun 2017 - asterisk 13.16. - sigseg during negotiation

Hello!

unchanged asterisk crashes during udptl / t.38 negotiation with telekom
- they do not support t.38 / udptl.

In detail:

fax client -> asterisk -> telekom -> easybell -> asterisk -> fax
server


Fax server sends t.38 reinvite via asterisk to easybell.

   Session Description Protocol Version (v): 0
   Owner/Creator, Session Id (o): - 2447581897 4 IN IP4 46.17.15.23
   Session Name (s): Asterisk
   Connection Information (c): IN IP4 46.17.15.23
   Time Description, active time (t): 0 0
   Media Description, name and address (m): image 4573 udptl t38
   Media Attribute (a): T38FaxVersion:0
   Media Attribute (a): T38MaxBitRate:14400
   Media Attribute (a): T38FaxRateManagement:transferredTCF
   Media Attribute (a): T38FaxMaxDatagram:397
   Media Attribute (a): T38FaxUdpEC:t38UDPRedundancy


This reinvite is received by asterisk via telekom:

   Session Description Protocol Version (v): 0
   Owner/Creator, Session Id (o): - 1811299599 2925027276 IN IP4 0.0.0.0
   Session Name (s): -
   Time Description, active time (t): 0 0
   Media Description, name and address (m): image 0 udptl t38
   Media Attribute (a): sendrecv
   Media Attribute (a): T38FaxVersion:0
   Media Attribute (a): T38MaxBitRate:14400
   Media Attribute (a): T38FaxRateManagement:transferredTCF
   Media Attribute (a): T38FaxMaxDatagram:397
   Media Attribute (a): T38FaxUdpEC:t38UDPRedundancy


And asterisk gives it to the fax client:

   Session Description Protocol Version (v): 0
   Owner/Creator, Session Id (o): - 1497774025 5 IN IP4 192.168.12.13
   Session Name (s): Asterisk
   Connection Information (c): IN IP4 192.168.12.13
   Time Description, active time (t): 0 0
   Media Description, name and address (m): image 4284 udptl t38
   Media Attribute (a): T38FaxVersion:0
   Media Attribute (a): T38MaxBitRate:14400
   Media Attribute (a): T38FaxRateManagement:transferredTCF
   Media Attribute (a): T38FaxMaxDatagram:393
   Media Attribute (a): T38FaxUdpEC:t38UDPRedundancy

Completely ignoring, that telekom doesn't support it (port and ip
addresses are set to 0).

On completing the negotiation after 200 ok SDP and ACK from fax client,
asterisk crashes. Stack trace is attached!


Regards,
Michael
-------------- next part --------------
Program terminated with signal 11, Segmentation fault.

#0  ast_copy_pj_str (dest=0x7fb9f5901100 "x\277\001<h\025\220",
<incomplete sequence \365>, src=0x20, size=1025) at res_pjsip.c:4147
#1  0x00007fb9f0b02334 in negotiate_incoming_sdp_stream (session=0x7fba3c031200,
session_media=<value optimized out>, sdp=<value optimized out>,
stream=<value optimized out>)
    at res_pjsip_t38.c:703
#2  0x00007fba0499ccf6 in handle_incoming_sdp (session=0x7fba3c031200,
sdp=0x7fba3c0adfb8) at res_pjsip_session.c:243
#3  0x00007fba0499e650 in session_inv_on_rx_offer (inv=0x7fba3c0504e8,
offer=0x7fba3c0adfb8) at res_pjsip_session.c:3009
#4  0x00007fba44b1b501 in inv_check_sdp_in_incoming_msg (inv=0x7fba3c0504e8,
tsx=0x7fba08006878, rdata=0x7fba3c0b00a8) at ../src/pjsip-ua/sip_inv.c:2110
#5  0x00007fba44b20026 in inv_on_state_confirmed (inv=0x7fba3c0504e8,
e=0x7fb9f5901880) at ../src/pjsip-ua/sip_inv.c:4869
#6  0x00007fba44b18869 in mod_inv_on_tsx_state (tsx=0x7fba08006878,
e=0x7fb9f5901880) at ../src/pjsip-ua/sip_inv.c:717
#7  0x00007fba44b64850 in pjsip_dlg_on_tsx_state (dlg=0x7fba3c028c58,
tsx=0x7fba08006878, e=0x7fb9f5901880) at ../src/pjsip/sip_dialog.c:2064
#8  0x00007fba44b650bf in mod_ua_on_tsx_state (tsx=0x7fba08006878,
e=0x7fb9f5901880) at ../src/pjsip/sip_ua_layer.c:178
#9  0x00007fba44b5d0e4 in tsx_set_state (tsx=0x7fba08006878,
state=PJSIP_TSX_STATE_TRYING, event_src_type=PJSIP_EVENT_RX_MSG,
event_src=0x7fba3c0b00a8, flag=0)
    at ../src/pjsip/sip_transaction.c:1267
#10 0x00007fba44b5f1f7 in tsx_on_state_null (tsx=0x7fba08006878,
event=0x7fb9f5901950) at ../src/pjsip/sip_transaction.c:2410
#11 0x00007fba44b5e07c in pjsip_tsx_recv_msg (tsx=0x7fba08006878,
rdata=0x7fba3c0b00a8) at ../src/pjsip/sip_transaction.c:1827
#12 0x00007fba44b63f62 in pjsip_dlg_on_rx_request (dlg=0x7fba3c028c58,
rdata=0x7fba3c0b00a8) at ../src/pjsip/sip_dialog.c:1711
#13 0x00007fba44b65bde in mod_ua_on_rx_request (rdata=0x7fba3c0b00a8) at
../src/pjsip/sip_ua_layer.c:704
#14 0x00007fba44b42b1e in pjsip_endpt_process_rx_data (endpt=0x36cc2a8,
rdata=0x7fba3c0b00a8, p=0x7fba05c8d0a0, p_handled=0x7fb9f5901b7c) at
../src/pjsip/sip_endpoint.c:887
#15 0x00007fba05a72c59 in distribute (data=0x7fba3c0b00a8) at
res_pjsip/pjsip_distributor.c:770
#16 0x00000000005ed6d1 in ast_taskprocessor_execute (tps=0x7fba3c0400a0) at
taskprocessor.c:965
#17 0x00000000005f7056 in execute_tasks (data=0x7fba3c0400a0) at
threadpool.c:1322
#18 0x00000000005ed6d1 in ast_taskprocessor_execute (tps=0x36bfab0) at
taskprocessor.c:965
#19 0x00000000005f53a1 in threadpool_execute (pool=0x36c0040) at
threadpool.c:351
#20 0x00000000005f69b4 in worker_active (worker=0x7fba38001fb0) at
threadpool.c:1105
#21 0x00000000005f6760 in worker_start (arg=0x7fba38001fb0) at threadpool.c:1024
#22 0x000000000060292c in dummy_start (data=0x7fba38000a50) at utils.c:1238
#23 0x00007fba43005aa1 in start_thread (arg=0x7fb9f5902700) at
pthread_create.c:301
#24 0x00007fba4238dbcd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:115


(gdb) frame 0
#0  ast_copy_pj_str (dest=0x7fb9f5901100 "x\277\001<h\025\220",
<incomplete sequence \365>, src=0x20, size=1025) at res_pjsip.c:4147
4147            size_t chars_to_copy = MIN(size - 1, pj_strlen(src));
(gdb) list
4142            return std.fail;
4143    }
4144
4145    void ast_copy_pj_str(char *dest, const pj_str_t *src, size_t size)
4146    {
4147            size_t chars_to_copy = MIN(size - 1, pj_strlen(src));
4148            memcpy(dest, pj_strbuf(src), chars_to_copy);
4149            dest[chars_to_copy] = '\0';
4150    }
4151


(gdb) frame 1
#1  0x00007fb9f0b02334 in negotiate_incoming_sdp_stream (session=0x7fba3c031200,
session_media=<value optimized out>, sdp=<value optimized out>,
stream=<value optimized out>)
    at res_pjsip_t38.c:703
703             ast_copy_pj_str(host, stream->conn ?
&stream->conn->addr : &sdp->conn->addr, sizeof(host));
(gdb) lsit
Undefined command: "lsit".  Try "help".
(gdb) list
698                     ast_debug(3, "Declining; T.38 state is rejected or
declined\n");
699                     t38_change_state(session, session_media, state,
T38_DISABLED);
700                     return -1;
701             }
702
703             ast_copy_pj_str(host, stream->conn ?
&stream->conn->addr : &sdp->conn->addr, sizeof(host));
704
705             /* Ensure that the address provided is valid */
706             if (ast_sockaddr_resolve(&addrs, host, PARSE_PORT_FORBID,
AST_AF_INET) <= 0) {
707                     /* The provided host was actually invalid so we error
out this negotiation */


(gdb) frame 2
#2  0x00007fba0499ccf6 in handle_incoming_sdp (session=0x7fba3c031200,
sdp=0x7fba3c0adfb8) at res_pjsip_session.c:243
243                             res =
handler->negotiate_incoming_sdp_stream(session, session_media, sdp,
(gdb) list
238                     if (session_media->handler) {
239                             handler = session_media->handler;
240                             ast_debug(1, "Negotiating incoming SDP
media stream '%s' using %s SDP handler\n",
241                                     session_media->stream_type,
242                                     session_media->handler->id);
243                             res =
handler->negotiate_incoming_sdp_stream(session, session_media, sdp,
244                                     sdp->media[i]);
245                             if (res < 0) {
246                                     /* Catastrophic failure. Abort! */
247                                     return -1;


(gdb) frame 3
#3  0x00007fba0499e650 in session_inv_on_rx_offer (inv=0x7fba3c0504e8,
offer=0x7fba3c0adfb8) at res_pjsip_session.c:3009
3009            if (handle_incoming_sdp(session, offer)) {
(gdb) list
3004    static void session_inv_on_rx_offer(pjsip_inv_session *inv, const
pjmedia_sdp_session *offer)
3005    {
3006            struct ast_sip_session *session =
inv->mod_data[session_module.id];
3007            pjmedia_sdp_session *answer;
3008
3009            if (handle_incoming_sdp(session, offer)) {
3010                    return;
3011            }
3012
3013            if ((answer = create_local_sdp(inv, session, offer))) {

On Sun, Jun 18, 2017, at 06:00 AM, Michael Maier wrote:
> Hello!
> 
> unchanged asterisk crashes during udptl / t.38 negotiation with telekom
> - they do not support t.38 / udptl.
All Asterisk issues need to go through the issue tracker[1]. In this
case we'd also need to see the full SIP debug so we can understand the
complete interaction.

[1] https://issues.asterisk.org/jira

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org

On 06/18/2017 at 12:11 PM, Joshua Colp wrote:
> On Sun, Jun 18, 2017, at 06:00 AM, Michael Maier wrote:
>> Hello!
>>
>> unchanged asterisk crashes during udptl / t.38 negotiation with telekom
>> - they do not support t.38 / udptl.
> 
> All Asterisk issues need to go through the issue tracker[1]. In this
> case we'd also need to see the full SIP debug so we can understand the
> complete interaction.
> 
> [1] https://issues.asterisk.org/jira
> 
See https://issues.asterisk.org/jira/browse/ASTERISK-27061