FreeSWITCH Crash on conference module

FreeSWITCH Modules
1

Hi,
We have a freeswitch crash issue on conference module in conference_event_add_data function.

Previously we had crash issue from same function for null value in conference->variables at switch_event_merge(event, conference->variables)
So we updated function and put condition to check that it only go to that function if variable’s value are not null and seems that fixed that issue.

switch_status_t conference_event_add_data(conference_obj_t *conference, switch_event_t *event) {
    switch_status_t status = SWITCH_STATUS_SUCCESS;

    if (!conference || !event) {
        switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "conference or event is NULL in conference_event_add_data\n");
        return SWITCH_STATUS_FALSE;
    }

    switch_event_add_header_string(event, SWITCH_STACK_BOTTOM, "Conference-Name", conference->name);
    switch_event_add_header_string(event, SWITCH_STACK_BOTTOM, "Conference-Domain", conference->domain);
    switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Conference-Size", "%u", conference->count);
    switch_event_add_header(event, SWITCH_STACK_BOTTOM, "Conference-Ghosts", "%u", conference->count_ghosts);
    switch_event_add_header_string(event, SWITCH_STACK_BOTTOM, "Conference-Profile-Name", conference->profile_name);
    switch_event_add_header_string(event, SWITCH_STACK_BOTTOM, "Conference-Unique-ID", conference->uuid_str);
    /* switch_event_merge(event, conference->variables); */

    if (conference->variables) {
        switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Merging events: event=%p, variables=%p\n", (void *)event, (void *)conference->variables);
        switch_event_merge(event, conference->variables);
    } else {
        switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "conference->variables is NULL in conference_event_add_data\n");
        status = SWITCH_STATUS_FALSE;
    }

    return status;
}

Now it seems another issue on same function for memory allocation to variables as shown in GDB’s command’s screenshots below.

Here I have attached backtrace log and screenshots of gdb commands output.

Backtrace log:

Thread 1 (Thread 0x7f488e5d3700 (LWP 1504900)):
#0  0x00007f4909bbdce1 in __libc_signal_block_app (set=0x7f488e5d2930) at ../sysdeps/unix/sysv/linux/internal-signals.h:74
        allset = {__val = {18446744067267100671, 18446744073709551615 <repeats 15 times>}}
        set = {__val = {0, 139951672910572, 5140087418055917568, 139950705367936, 139950705367936, 139950705367936, 139950705367936, 139950705368030, 139950705368036, 139950705367936, 139950705368036, 0, 0, 0, 0, 0}}
        pid = <optimized out>
        tid = <optimized out>
#1  __GI_raise (sig=0, sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:40
        set = {__val = {0, 139951672910572, 5140087418055917568, 139950705367936, 139950705367936, 139950705367936, 139950705367936, 139950705368030, 139950705368036, 139950705367936, 139950705368036, 0, 0, 0, 0, 0}}
        pid = <optimized out>
        tid = <optimized out>
#2  0x00007f4909ba7537 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x7f48d0145b80, sa_sigaction = 0x7f48d0145b80}, sa_mask = {__val = {0, 139950705367936, 139951674048704, 0, 0, 0, 21474836480, 0, 139949602843296, 139951674106720, 139951674091144, 0, 2763278678153683456, 139951674073048, 139951679639552, 139951674091144}}, sa_flags = 169245344, sa_restorer = 0x526}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#3  0x00007f4909ba740f in __assert_fail_base (fmt=0x7f4909d1e688 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7f490a167c15 "tomerge && event", file=0x7f490a167aa0 "src/switch_event.c", line=1318, function=<optimized out>) at assert.c:92
        str = 0x7f48d0145b80 "\340{"
        total = 4096
#4  0x00007f4909bb6662 in __assert_fail_base (fmt=0x7f490a167c15 "tomerge && event", assertion=0x7f488e5d2d40 "", file=0x7f490a167aa0 "src/switch_event.c", line=1318, function=<optimized out>) at assert.c:80
        old = <optimized out>
        buf = 0x7f490a168a20 <__PRETTY_FUNCTION__.36>
        str = 0x7f48d0077150 ""
        total = 32584
#5  0x00007f49053ce14e in conference_event_add_data (conference=0x7f488e74036f, event=0x7f4909e96d8e) at conference_event.c:767
        status = SWITCH_STATUS_SUCCESS
        __func__ = "conference_event_add_data"
#6  0x00007f48d0077150 in  ()
#7  0x0000000000000000 in  ()

GDB screenshot:

image
image1574×703 54.1 KB

gcc Version: 10.2.1 20210110 (Debian 10.2.1-6)
OS Version: Debian 11 (bullseye)
FreeSWITCH Version: 1.10.9-release~64bit ( 64bit)
Hardware:
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 46 bits physical, 48 bits virtual
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 2
Core(s) per socket: 2
CPU family: 6
Model name: Intel(R) Xeon(R) Platinum 8275CL CPU @ 3.00GHz
CPU MHz: 3602.039
RAM: 8GB

Need suggestion on this that how we can fix this.

Thanks,
Nikunj

2

Can I have any update on this?