
<h3>Description</h3>

<p><code>dialog</code> module is configured with <code>db_mode</code> 1 (realtime). When receiving following broken SIP <code>200</code> response (missing 6 bytes between header and body), Kamailio crashes:</p>

<pre><code>SIP/2.0 200 OK

Via: SIP/2.0/UDP 1.2.3.4;branch=z9hG4bKa185.ad1e5804a90a4f79fa2b09b3b2118053.0

Via: SIP/2.0/UDP 2.3.4.5:7016;received=2.3.4.5;branch=z9hG4bK370933d4;rport=7016

Record-Route: <sip:1.2.3.4;lr=on;did=c41.dee>

From: "1234" <sip:1234@example.com>;tag=as4cbf81fd

To: <sip:2345@example.com>;tag=3450065082

Call-ID: 727ca44f1e962eb321143475380dfbd9@example.com

CSeq: 102 INVITE

Contact: <sip:2345@3.4.5.6:12500>

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Content-Length: 2170

o=- 20568 20568 IN IP4 3.4.5.6

s=SDP data

c=IN IP4 3.4.5.6

t=0 0

m=audio 13002 RTP/AVP 8 101

a=rtpmap:8 PCMA/8000

a=ptime:20

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-15

a=sendrecv

</code></pre>

<p>Crash happens in <a href="https://github.com/kamailio/kamailio/blob/master/src/modules/dialog/dlg_db_handler.c#L869-L874">dlg_db_handler.c</a></p>

<pre><code>         LM_DBG("sock_info is %.*s\n", 

                        cell->bind_addr[DLG_CALLER_LEG]->sock_str.len,

                        cell->bind_addr[DLG_CALLEE_LEG]->sock_str.s);


                SET_STR_VALUE(values+7, cell->bind_addr[DLG_CALLER_LEG]->sock_str);

                SET_STR_VALUE(values+8, cell->bind_addr[DLG_CALLEE_LEG]->sock_str);

</code></pre>

<h4>Debugging Data</h4>

<pre><code>Thread 1 (Thread 0x7fc64b620700 (LWP 2333)):

+bt

#0  0x00007fc641675b63 in update_dialog_dbinfo_unsafe (cell=0x7fc619a71ff8) at dlg_db_handler.c:784

#1  0x00007fc641676852 in update_dialog_dbinfo (cell=0x7fc619a71ff8) at dlg_db_handler.c:881

#2  0x00007fc64167c861 in dlg_onreply (t=0x7fc61d7888f0, type=1048576, param=0x7ffe1ce712f0) at dlg_handlers.c:509

#3  0x00007fc6443f4f17 in run_trans_callbacks_internal (cb_lst=0x7fc61d788960, type=1048576, trans=0x7fc61d7888f0, params=0x7ffe1ce712f0) at t_hooks.c:260

#4  0x00007fc6443f5144 in run_trans_callbacks_with_buf (type=1048576, rbuf=0x7fc61d7889b0, req=0x7fc61ec43928, repl=0x7fc646dcbd80, flags=0) at t_hooks.c:305

#5  0x00007fc6443aaabc in relay_reply (t=0x7fc61d7888f0, p_msg=0x7fc646dcbd80, branch=0, msg_status=200, cancel_data=0x7ffe1ce71580, do_put_on_wait=1) at t_reply.c:1950

#6  0x00007fc6443ae844 in reply_received (p_msg=0x7fc646dcbd80) at t_reply.c:2521

#7  0x000055fd54405df6 in do_forward_reply (msg=0x7fc646dcbd80, mode=0) at core/forward.c:749

#8  0x000055fd5440784b in forward_reply (msg=0x7fc646dcbd80) at core/forward.c:851

#9  0x000055fd544522d2 in receive_msg (buf=0x55fd5492d080 <buf> "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP ...", len=960, rcv_info=0x7ffe1ce71ad0) at core/receive.c:341

#10 0x000055fd5436e207 in udp_rcv_loop () at core/udp_server.c:515

#11 0x000055fd542dc608 in main_loop () at main.c:1623

#12 0x000055fd542e46a9 in main (argc=13, argv=0x7ffe1ce71f78) at main.c:2642

</code></pre>

<h3>Possible Solutions</h3>

<p>Check <code>bind_addr</code> before accessing.</p>

<h3>Additional Information</h3>

<p>Version was 5.0.x, but at least code in <code>dlg_handler.c</code> wasn't modified in <code>master</code> since then.</p>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/kamailio/kamailio/issues/1899">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AF36ZXU8FcPIrMiTc6cYlQZZalHCi1f1ks5vY0VDgaJpZM4cA73u">mute the thread</a>.<img src="https://github.com/notifications/beacon/AF36Zb6gaajkA6TK4HfBQXcx23LQpLgHks5vY0VDgaJpZM4cA73u.gif" height="1" width="1" alt="" /></p>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/kamailio/kamailio","title":"kamailio/kamailio","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/kamailio/kamailio"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"dialog: segfault with db_mode = 1 and broken SIP message (#1899)"}],"action":{"name":"View Issue","url":"https://github.com/kamailio/kamailio/issues/1899"}}}</script>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/kamailio/kamailio/issues/1899",

"url": "https://github.com/kamailio/kamailio/issues/1899",

"name": "View Issue"

},

"description": "View this Issue on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>