Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FreeSWITCH Crash (most likely in spandsp's t30.c) #38

Closed
pragmatrix opened this issue Jan 24, 2022 · 2 comments
Closed

FreeSWITCH Crash (most likely in spandsp's t30.c) #38

pragmatrix opened this issue Jan 24, 2022 · 2 comments

Comments

@pragmatrix
Copy link

pragmatrix commented Jan 24, 2022
edited
Loading

Hi, one of our FreeSWITCH machines recently deadlocked or livelocked. No connections to the Event Socket port 8021 were accepted anymore and after a superficial analysis we are suspecting a bug in spandsp because the last line in the log indicates that a fax ECM frame was received of 3 bytes in length, which in turn caused a call to a memcpy with len == -1.

Here are the last few log entries:

2022-01-17 16:42:06.698682 [DEBUG] mod_spandsp_fax.c:295 FLOW FAX Set rx type 7
2022-01-17 16:42:06.698682 [DEBUG] mod_spandsp_fax.c:295 FLOW FAX Set tx type 0
2022-01-17 16:42:06.698682 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Start T2
2022-01-17 16:42:06.718682 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Carrier down (-1) in state F_DOC_ECM
2022-01-17 16:42:06.718682 [WARNING] mod_spandsp_fax.c:295 WARNING T.30 ECM carrier not found
2022-01-17 16:42:06.718682 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Status changing to Carrier lost during fax receive
2022-01-17 16:42:07.478681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Carrier up (-2) in state F_DOC_ECM
2022-01-17 16:42:07.478681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Carrier up (-2) in state F_DOC_ECM
2022-01-17 16:42:07.618681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Training failed (-5) in state F_DOC_ECM
2022-01-17 16:42:07.678681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Carrier down (-1) in state F_DOC_ECM
2022-01-17 16:42:07.678681 [WARNING] mod_spandsp_fax.c:295 WARNING T.30 ECM carrier not found
2022-01-17 16:42:07.678681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Carrier up (-2) in state F_DOC_ECM
2022-01-17 16:42:07.678681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Carrier down (-1) in state F_DOC_ECM
2022-01-17 16:42:07.678681 [WARNING] mod_spandsp_fax.c:295 WARNING T.30 ECM carrier not found
2022-01-17 16:42:07.678681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Carrier up (-2) in state F_DOC_ECM
2022-01-17 16:42:07.818681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Training in progress (-3) in state F_DOC_ECM
2022-01-17 16:42:07.838681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Training succeeded (-4) in state F_DOC_ECM
2022-01-17 16:42:07.838681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Abort (-8) in state F_DOC_ECM
2022-01-17 16:42:07.838681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Framing OK (-6) in state F_DOC_ECM
2022-01-17 16:42:07.838681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Start T1A
2022-01-17 16:42:07.858681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Bad HDLC CRC received
2022-01-17 16:42:07.858681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Bad HDLC CRC received
2022-01-17 16:42:07.878681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Bad HDLC CRC received
2022-01-17 16:42:07.878681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Abort (-8) in state F_DOC_ECM
2022-01-17 16:42:07.898681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Abort (-8) in state F_DOC_ECM
2022-01-17 16:42:07.978681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Bad HDLC CRC received
2022-01-17 16:42:07.978681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 HDLC signal status is Abort (-8) in state F_DOC_ECM
2022-01-17 16:42:08.038681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Stop T1A (278400 remaining)
2022-01-17 16:42:08.038681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Rx:  FCD without final frame tag
2022-01-17 16:42:08.038681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Rx:  ff 03 06
2022-01-17 16:42:08.038681 [DEBUG] mod_spandsp_fax.c:295 FLOW T.30 Storing ECM frame 97, length -1

The code in t30.c I suspect caused the problem:

spandsp/src/t30.c

Lines 3589 to 3590 in 284fe91

span_log(&s->logging, SPAN_LOG_FLOW, "Storing ECM frame %d, length %d\n", frame_no, len - 4);
memcpy(&s->ecm_data[frame_no][0], &msg[4], len - 4);

And the full spandsp related log:

spandsp-error.log

FreeSWITCH version was most likely version 1.10.6.. We are not 100% sure, because we have updated it to 1.10.7 right before reinstating the server again.
@mjerris
Copy link
Member

mjerris commented Jan 24, 2022

please provide a backtrace of all threads and reopen this issue once it’s attached. this kind of issue can’t be reviewed without that info

@mjerris mjerris closed this as completed Jan 24, 2022
@pragmatrix
Copy link
Author

We don't have that backtrace now. We have to wait for another crash.

this kind of issue can’t be reviewed without that info

I disagree. The code path is fairly obvious from the log, and the memcpy above can't handle a Rx of size 3 and will most likely lead to UB. Building a test case should be fairly simple for someone accustomed with the code. I'll try my best as soon I've time for that.

@dragos-oancea dragos-oancea mentioned this issue Jan 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mjerris @pragmatrix