[ opensips-Bugs-2573029 ] [trunk/r5254] crash in dialog/

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ opensips-Bugs-2573029 ] [trunk/r5254] crash in dialog/

SourceForge.net
Bugs item #2573029, was opened at 2009-02-06 15:40
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2573029&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: [trunk/r5254] crash in dialog/

Initial Comment:
(from [hidden email])

Turns out that you can pass rpl == FAKED_REPLY (which is -1) to dlg_onreply(), which will in turn try to dereference it and crash. This fixes it for me, if you're interested, I can reproduce the core dump.

This happens when testing presence and related stuff.


--- modules/dialog/dlg_handlers.c (revision 5254)
+++ modules/dialog/dlg_handlers.c (working copy)
@@ -288,24 +288,29 @@
  LM_DBG("dialog %p confirmed\n",dlg);
 
  /* get to tag*/
- if ( !rpl->to && ((parse_headers(rpl, HDR_TO_F,0)<0) || !rpl->to) ) {
- LM_ERR("bad reply or missing TO hdr :-/\n");
- tag.s = 0;
- tag.len = 0;
- } else {
- tag = get_to(rpl)->tag_value;
- if (tag.s==0 || tag.len==0) {
- LM_ERR("missing TAG param in TO hdr :-/\n");
+ if ( rpl != FAKED_REPLY){
+ if ( !rpl->to && ((parse_headers(rpl, HDR_TO_F,0)<0) || !rpl->to) ) {
+ LM_ERR("bad reply or missing TO hdr :-/\n");
  tag.s = 0;
  tag.len = 0;
+ } else {
+ tag = get_to(rpl)->tag_value;
+ if (tag.s==0 || tag.len==0) {
+ LM_ERR("missing TAG param in TO hdr :-/\n");
+ tag.s = 0;
+ tag.len = 0;
+ }
  }
+ /* save callee's tag, cseq, contact and record route*/
+ if (populate_leg_info( dlg, rpl, t, DLG_CALLEE_LEG, &tag) !=0) {
+ LM_ERR("could not add further info to the dialog\n");
+ }
+ } else {
+ LM_DBG("FAKED_REPLY detected\n");
+ tag.s = 0;
+ tag.len = 0;
  }
 
- /* save callee's tag, cseq, contact and record route*/
- if (populate_leg_info( dlg, rpl, t, DLG_CALLEE_LEG, &tag) !=0) {
- LM_ERR("could not add further info to the dialog\n");
- }
-
  /* set start time */
  dlg->start_ts = (unsigned int)(time(0));
 


----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2573029&group_id=232389

_______________________________________________
Devel mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel