[ opensips-Bugs-2633350 ] Crash in dialog module+patch

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ opensips-Bugs-2633350 ] Crash in dialog module+patch

SourceForge.net
Bugs item #2633350, was opened at 2009-02-24 14:01
Message generated for change (Comment added) made by bogdan_iancu
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2633350&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
>Status: Closed
>Resolution: Fixed
Priority: 9
Private: No
Submitted By: Vasil Kolev (krokodilerian)
Assigned to: Bogdan-Andrei Iancu (bogdan_iancu)
Summary: Crash in dialog module+patch

Initial Comment:
When using the dialog module with realtime db usage, it crashes with the following backtrace:

(gdb) bt
#0  0xb77f9104 in update_dialog_dbinfo (cell=0xb57ba410) at dlg_db_handler.c:511
#1  0xb7800370 in dlg_onreply (t=0xb57b0db8, type=128, param=0xb78c1b34) at dlg_handlers.c:323
#2  0xb789d22b in run_trans_callbacks (type=128, trans=0xb57b0db8, req=0xb57bb6f0, rpl=0xffffffff, code=200) at t_hooks.c:208
#3  0xb78b2cf3 in _reply_light (trans=0xb57b0db8,
    buf=0x819f428 "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 89.253.129.130:27819;branch=z9hG4bK-d8754z-cb4ec1c38ba46444-1---d8754z-;rport=27819\r\nTo: <sip:vasil.kolev%[hidden email];transport=UDP>;tag=945b7285134e5"..., len=<value optimized out>, code=200, to_tag=0xb78d2a40 "945b7285134e5709ca8a0d8ffb065070-ab6d", to_tag_len=37, lock=1, bm=0xbfd0106c) at t_reply.c:373
#4  0xb78b3425 in _reply (trans=0xb57b0db8, p_msg=<value optimized out>, code=200, text=0xb77a4b08, lock=1) at t_reply.c:446
#5  0xb78a75ba in w_t_reply (msg=0x819dfb0, str1=0xc8 <Address 0xc8 out of bounds>, str2=0xb77a4b08 ">\az�\002") at tm.c:863
#6  0xb7d5beba in sig_send_reply_mod (msg=0x819dfb0, code=200, reason=0xb77a4b08, to_tag=0xbfd012f8) at signaling.c:178
#7  0xb779708a in send_2XX_reply (msg=0x819dfb0, reply_code=200, lexpire=<value optimized out>, rtag=0xbfd012f8, local_contact=0xbfd01324) at subscribe.c:112
#8  0xb7797d72 in update_subscription (msg=0x819dfb0, subs=0xbfd012c4, init_req=1) at subscribe.c:378
#9  0xb779c72b in handle_subscribe (msg=0x819dfb0, str1=0x0, str2=0x0) at subscribe.c:699
#10 0x08055591 in do_action (a=0x8196618, msg=0x819dfb0) at action.c:961
#11 0x080541e2 in run_action_list (a=0x8196618, msg=0x819dfb0) at action.c:139
#12 0x08056ecd in do_action (a=0x8197550, msg=0x819dfb0) at action.c:705
#13 0x080541e2 in run_action_list (a=0x8197550, msg=0x819dfb0) at action.c:139
#14 0x08057529 in do_action (a=0x81975b8, msg=0x819dfb0) at action.c:711
#15 0x080541e2 in run_action_list (a=0x81960a8, msg=0x819dfb0) at action.c:139
#16 0x08056914 in do_action (a=0x81934e0, msg=0x819dfb0) at action.c:119
#17 0x080541e2 in run_action_list (a=0x81934e0, msg=0x819dfb0) at action.c:139
#18 0x08056ecd in do_action (a=0x8193548, msg=0x819dfb0) at action.c:705
#19 0x080541e2 in run_action_list (a=0x818e390, msg=0x819dfb0) at action.c:139
#20 0x08057ee1 in run_top_route (a=0x818e390, msg=0x819dfb0) at action.c:119
#21 0x0809228c in receive_msg (
    buf=0x8164220 "SUBSCRIBE sip:vasil.kolev%[hidden email];transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 89.253.129.130:27819;branch=z9hG4bK-d8754z-cb4ec1c38ba46444-1---d8754z-;rport\r\nMax-Forwards: 69\r\nContact:"..., len=933, rcv_info=0xbfd020a4) at receive.c:165
#22 0x080cdf4b in udp_rcv_loop () at udp_server.c:449
#23 0x0806c3af in main (argc=1, argv=0xbfd02234) at main.c:778


When investigating it, turned out that cell->bind_addr[DLG_CALLEE_LEG] is NULL, and while trying to dereference that to get the sock_str, it crashes. I added a check and a specific str null_element to update it right.

Also, there was a strange typo in the LM_DBG there, it was using the value from the cell->bind_addr[DLG_CALLEE_LEG]->sock_str, but the length from cell->bind_addr[DLG_CALLER_LEG]->sock_str.

Patch attached (against trunk).

----------------------------------------------------------------------

>Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2009-02-26 11:47

Message:
Hi Vasil,

I commited the fix (1.4 + 1.5 versions)- the same fix had to be applied in
a similar other place.

Thanks & Regards,
Bogdan


----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2009-02-24 16:39

Message:
Hi Vasil,

it seams like a bug - I will review the patch and apply it asap.

Thanks and regards,
Bogdan

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2633350&group_id=232389

_______________________________________________
Devel mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel