Re: [sr-dev] [kamailio/kamailio] Segmentation fault on tm:t_should_relay_response (#1875)

Hello @miconda , i think this patch introduced a new bug on tmx module. Now i'm getting a segfault on tmx.so:

### Log ``` [345284.567219] kamailio[88343]: segfault at 1f4 ip 00007fa4b771f934 sp 00007ffd06a1e710 error 4 in tmx.so[7fa4b770c000+1d000] [345332.406311] kamailio[88635]: segfault at 1f4 ip 00007fcb136e0934 sp 00007ffeda371e60 error 4 in tmx.so[7fcb136cd000+1d000] [345488.107701] kamailio[88940]: segfault at 1f4 ip 00007f2fffba9934 sp 00007fff2bf8b7f0 error 4 in tmx.so[7f2fffb96000+1d000] [345517.133371] kamailio[89337]: segfault at 244 ip 00007f7ae3d19934 sp 00007fff6f699350 error 4 in tmx.so[7f7ae3d06000+1d000] [345546.632373] kamailio[89602]: segfault at 1f4 ip 00007f02d6019934 sp 00007ffe5d33ac50 error 4 in tmx.so[7f02d6006000+1d000] [345568.432423] kamailio[89742]: segfault at 1f4 ip 00007f4e5094a934 sp 00007fffd5915930 error 4 in tmx.so[7f4e50937000+1d000] ``` ###GDB info ```

(gdb) frame 0 #0 0x00007f4e5094a934 in pv_get_tm_reply_code (msg=0x7f4e2cd14cb8, param=0x7f4e55a61328, res=0x7fffd5915aa0) at t_var.c:528 528 code = t->uac[branch].last_received;

(gdb) info locals t = 0x7f4e2cd0d928 code = 32590 branch = 0 __FUNCTION__ = "pv_get_tm_reply_code"

(gdb) list 523 if ( (branch=_tmx_tmb.t_get_picked_branch())<0 ) { 524 LM_CRIT("no picked branch (%d) for a final response" 525 " in MODE_ONFAILURE\n", branch); 526 code = 0; 527 } else { 528 code = t->uac[branch].last_received; 529 } 530 break; 531 default: 532 LM_INFO("unsupported route_type %d - code set to 0\n",

(gdb) bt #0 0x00007f4e5094a934 in pv_get_tm_reply_code (msg=0x7f4e2cd14cb8, param=0x7f4e55a61328, res=0x7fffd5915aa0) at t_var.c:528 #1 0x00000000005d0874 in pv_get_spec_value (msg=0x7f4e2cd14cb8, sp=0x7f4e55a61310, value=0x7fffd5915aa0) at core/pvapi.c:1380 #2 0x0000000000582062 in lval_pvar_assign (h=0x7fffd5916340, msg=0x7f4e2cd14cb8, lv=0x7f4e55a61098, rv=0x7f4e55a61308) at core/lvalue.c:335 #3 0x0000000000582d91 in lval_assign (h=0x7fffd5916340, msg=0x7f4e2cd14cb8, lv=0x7f4e55a61098, rve=0x7f4e55a61300) at core/lvalue.c:400 #4 0x000000000059647d in do_action (h=0x7fffd5916340, a=0x7f4e55a61a30, msg=0x7f4e2cd14cb8) at core/action.c:1443 #5 0x0000000000597f6e in run_actions (h=0x7fffd5916340, a=0x7f4e55a60d68, msg=0x7f4e2cd14cb8) at core/action.c:1564 #6 0x0000000000598683 in run_top_route (a=0x7f4e55a60d68, msg=0x7f4e2cd14cb8, c=0x0) at core/action.c:1646 #7 0x00007f4e50bb877f in run_failure_handlers (t=0x7f4e2cd0d928, rpl=0xffffffffffffffff, code=408, extra_flags=96) at t_reply.c:1002 #8 0x00007f4e50bbbc55 in t_should_relay_response (Trans=0x7f4e2cd0d928, new_code=408, branch=0, should_store=0x7fffd59166fc, should_relay=0x7fffd5916700, cancel_data=0x7fffd59167b0, reply=0xffffffffffffffff) at t_reply.c:1376 #9 0x00007f4e50bbef0b in relay_reply (t=0x7f4e2cd0d928, p_msg=0xffffffffffffffff, branch=0, msg_status=408, cancel_data=0x7fffd59167b0, do_put_on_wait=0) at t_reply.c:1802 #10 0x00007f4e50c20b5b in fake_reply (t=0x7f4e2cd0d928, branch=0, code=408) at timer.c:340 #11 0x00007f4e50c20fe8 in final_response_handler (r_buf=0x7f4e2cd0db50, t=0x7f4e2cd0d928) at timer.c:506 #12 0x00007f4e50c21097 in retr_buf_handler (ticks=262070135, tl=0x7f4e2cd0db70, p=0x3e8) at timer.c:562 #13 0x00000000004a0134 in timer_list_expire (t=262070135, h=0x7f4e2c741690, slow_l=0x7f4e2c7418c8, slow_mark=0) at core/timer.c:874 #14 0x00000000004a0595 in timer_handler () at core/timer.c:939 #15 0x00000000004a0a3f in timer_main () at core/timer.c:978 #16 0x0000000000425416 in main_loop () at main.c:1693 #17 0x000000000042c078 in main (argc=9, argv=0x7fffd5916e18) at main.c:2645

(gdb) bt full #0 0x00007f4e5094a934 in pv_get_tm_reply_code (msg=0x7f4e2cd14cb8, param=0x7f4e55a61328, res=0x7fffd5915aa0) at t_var.c:528 t = 0x7f4e2cd0d928 code = 32590 branch = 0 __FUNCTION__ = "pv_get_tm_reply_code" #1 0x00000000005d0874 in pv_get_spec_value (msg=0x7f4e2cd14cb8, sp=0x7f4e55a61310, value=0x7fffd5915aa0) at core/pvapi.c:1380 ret = 0 __FUNCTION__ = "pv_get_spec_value" #2 0x0000000000582062 in lval_pvar_assign (h=0x7fffd5916340, msg=0x7f4e2cd14cb8, lv=0x7f4e55a61098, rv=0x7f4e55a61308) at core/lvalue.c:335 pvar = 0x7f4e55a60fb8 pval = {rs = {s = 0x0, len = 0}, ri = 0, flags = 0} r_avp = 0x7fffd5916178 avp_val = {n = 631, s = {s = 0x277 <Address 0x277 out of bounds>, len = 1490070754}, re = 0x277} ret = 0 v = 110 destroy_pval = 0 __FUNCTION__ = "lval_pvar_assign" #3 0x0000000000582d91 in lval_assign (h=0x7fffd5916340, msg=0x7f4e2cd14cb8, lv=0x7f4e55a61098, rve=0x7f4e55a61300) at core/lvalue.c:400 rv = 0x7f4e55a61308 ret = 0 __FUNCTION__ = "lval_assign" #4 0x000000000059647d in do_action (h=0x7fffd5916340, a=0x7f4e55a61a30, msg=0x7f4e2cd14cb8) at core/action.c:1443 ret = -5 v = -711892832 dst = {send_sock = 0x3, to = {s = {sa_family = 3328, sa_data = "\261Ĥug\032\001\000\000\000\000\000\000"}, sin = {sin_family = 3328, sin_port = 50353, sin_addr = {s_addr = 442987940}, sin_zero = "\001\000\000\000\000\000\000"}, sin6 = {sin6_family = 3328, sin6_port = 50353, sin6_flowinfo = 442987940, sin6_addr = {__in6_u = {__u6_addr8 = "\001\000\000\000\000\000\000\000\314\025\227,N\177\000", __u6_addr16 = {1, 0, 0, 0, 5580, 11415, 32590, 0}, __u6_addr32 = {1, 0, 748099020, 32590}}}, sin6_scope_id = 0}}, id = -53100608, proto = -112 '\220', send_flags = {f = 54673, blst_imask = 0}} tmp = 0x130053c9b5 <Address 0x130053c9b5 out of bounds> new_uri = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds> end = 0x7c7213 "INFO" crt = 0x7fffd5916210 "" cmd = 0x7f4e2c9715b8 len = 0 user = 0 uri = {user = {s = 0x0, len = -1}, passwd = {s = 0x7f4e58cdb14d <_IO_vfprintf_internal+19661> "\200\275\360\372\377\377", len = 4}, host = {s = 0x0, len = 1493518176}, port = {s = 0x278f35b100000002 <Address 0x278f35b100000002 out of bounds>, len = 0}, params = { s = 0x7f4e2c4a44e8 "%s: %s%s(): rtp proxy <%s> found, support for it %senabled\n", len = 11}, sip_params = {s = 0x72 <Address 0x72 out of bounds>, len = 3440}, headers = {s = 0x7f4e2c4a4523 "", len = 2}, port_no = 28453, proto = 0, type = ERROR_URI_T, flags = (URI_USER_NORMALIZE | URI_SIP_USER_PHONE | unknown: 1288637520), transport = {s = 0x29a4658 "", len = 44632544}, ttl = {s = 0x0, len = 43664984}, user_param = {s = 0xfffffffe00000280 <Address 0xfffffffe00000280 out of bounds>, len = 0}, maddr = { s = 0x80002a6ea061 <Address 0x80002a6ea061 out of bounds>, len = 0}, method = {s = 0x3000000010 <Address 0x3000000010 out of bounds>, len = -711891552}, lr = {s = 0x7fffd59164e0 "\023r|", len = -711892544}, r2 = {s = 0x2ac3b80 "\a", len = 1434729520}, gr = { s = 0x7fffd5916000 "\240\071\254\002", len = 2}, transport_val = {s = 0x1 <Address 0x1 out of bounds>, len = 748099020}, ttl_val = {s = 0x7fffd5915f10 "#EJ,N\177", len = 1}, user_param_val = {s = 0x1d5916010 <Address 0x1d5916010 out of bounds>, len = 748099020}, maddr_val = {s = 0x7fffd5916010 "@a\221\325\377\177", len = 1341679493}, method_val = {s = 0x602a92e10 <Address 0x602a92e10 out of bounds>, len = 748099020}, lr_val = {s = 0x2ac39a0 "\001", len = 1490575056}, r2_val = { s = 0x7fffd5916140 "`a\221\325\377\177", len = 1341727119}, gr_val = {s = 0x0, len = 44710301}} next_hop = {user = {s = 0x7fff00000000 <Address 0x7fff00000000 out of bounds>, len = 0}, passwd = {s = 0x7fffd5916247 "", len = 0}, host = {s = 0x7fffd5915e70 " ", len = 1489875277}, port = {s = 0x3000000018 <Address 0x3000000018 out of bounds>, len = -711891952}, params = {s = 0x7fff00000000 <Address 0x7fff00000000 out of bounds>, len = -5}, sip_params = {s = 0xa00000000 <Address 0xa00000000 out of bounds>, len = 1490071084}, headers = {s = 0x8 <Address 0x8 out of bounds>, len = 0}, port_no = 0, proto = 0, type = 32590, flags = (URI_USER_NORMALIZE | URI_SIP_USER_PHONE | unknown: 743064856), transport = {s = 0x7fffd59163d0 "", len = 1493503968}, ttl = {s = 0x7fffd59164c8 "x\360\320,N\177", len = 743064808}, user_param = { s = 0x2a909e0 "\270G\005YN\177", len = 1489855931}, maddr = {s = 0x7f4e58cdb14d <_IO_vfprintf_internal+19661> "\200\275\360\372\377\377", len = 0}, method = {s = 0x7f4e2c49c885 "%d:", len = 11}, lr = { s = 0x7f4e00000002 <Address 0x7f4e00000002 out of bounds>, len = 0}, r2 = {s = 0x7f4e58e16532 "%d]", len = 11}, gr = {s = 0x3000000007 <Address 0x3000000007 out of bounds>, len = 3440}, transport_val = {s = 0x7fffd5915f50 "\200\002", len = -711893232}, ttl_val = {s = 0xb0000000a <Address 0xb0000000a out of bounds>, len = -711893276}, user_param_val = {s = 0x5c00000000 <Address 0x5c00000000 out of bounds>, len = 0}, maddr_val = {s = 0x0, len = 0}, method_val = { s = 0x3000000020 <Address 0x3000000020 out of bounds>, len = 0}, lr_val = {s = 0x7f4e58cdb14d <_IO_vfprintf_internal+19661> "\200\275\360\372\377\377", len = 0}, r2_val = {s = 0x3000000000 <Address 0x3000000000 out of bounds>, len = 0}, gr_val = { s = 0x7f4e00000000 <Address 0x7f4e00000000 out of bounds>, len = 0}} u = 0xb26f10 <ut_buf_int2str> port = 0 dst_host = 0x7c2e00 <__FUNCTION__.6168> i = 15 flags = 32590 avp = 0x7fffd59162c0 st = {flags = 743055302, id = 32590, name = {n = -1, s = {s = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, len = 0}, re = 0xffffffffffffffff}, avp = 0x7} sct = 0x7fffd5916140 sjt = 0x7f4e50019820 rve = 0x20000000 mct = 0x62c6fa6d0 rv = 0x7f4e58cd65bb <_IO_vfprintf_internal+315> rv1 = 0x4000000 c1 = {cache_type = 3583075336, val_type = 32767, c = {avp_val = {n = 1491166516, s = {s = 0x7f4e58e16534 "]", len = -711892240}, re = 0x7f4e58e16534}, pval = {rs = {s = 0x7f4e58e16534 "]", len = -711892240}, ri = 1493503968, flags = 32590}}, i2s = "\bc\221\325\377\177\000\000\061e\341XN\177\000\000\340\t\251\002\000"} s = {s = 0x1 <Address 0x1 out of bounds>, len = 2} srevp = {0x0, 0xffffffffffffffff} evp = {data = 0x0, rcv = 0x0, dst = 0x0} mod_f_params = {{type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, { type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = { number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}} __FUNCTION__ = "do_action" #5 0x0000000000597f6e in run_actions (h=0x7fffd5916340, a=0x7f4e55a60d68, msg=0x7f4e2cd14cb8) at core/action.c:1564 t = 0x7f4e55a61a30 ret = 1 ms = 4820621 __FUNCTION__ = "run_actions" #6 0x0000000000598683 in run_top_route (a=0x7f4e55a60d68, msg=0x7f4e2cd14cb8, c=0x0) at core/action.c:1646 ctx = {rec_lev = 1, run_flags = 0, last_retcode = 1, jmp_env = {{__jmpbuf = {139974474751696, -8436678796762393242, 8155667, 90, 536870912, 67108864, -8436678796800141978, 8436736086254966118}, __mask_was_saved = 0, __saved_mask = {__val = {139973736090808, 139973736093009, 10, 17179869184, 67108864, 140736776463408, 11373999, 0, 65176423608, 9341819176, 139973736090808, 1073741826, 0, 536870912, 139974474751696, 8155667}}}}} p = 0x7fffd5916340 ret = 536870912 sfbk = 0 #7 0x00007f4e50bb877f in run_failure_handlers (t=0x7f4e2cd0d928, rpl=0xffffffffffffffff, code=408, extra_flags=96) at t_reply.c:1002 faked_req = 0x7f4e2cd14cb8 faked_req_len = 6840 shmem_msg = 0x7f4e2cd0f078 on_failure = 3 keng = 0x0 __FUNCTION__ = "run_failure_handlers" #8 0x00007f4e50bbbc55 in t_should_relay_response (Trans=0x7f4e2cd0d928, new_code=408, branch=0, should_store=0x7fffd59166fc, should_relay=0x7fffd5916700, cancel_data=0x7fffd59167b0, reply=0xffffffffffffffff) at t_reply.c:1376 branch_cnt = 1 picked_code = 408 new_branch = 582 inv_through = 0 extra_flags = 96 i = 32590 replies_dropped = 0 __FUNCTION__ = "t_should_relay_response" #9 0x00007f4e50bbef0b in relay_reply (t=0x7f4e2cd0d928, p_msg=0xffffffffffffffff, branch=0, msg_status=408, cancel_data=0x7fffd59167b0, do_put_on_wait=0) at t_reply.c:1802 relay = 895 save_clone = 0 buf = 0x0 res_len = 0 relayed_code = 0 relayed_msg = 0x0 reply_bak = 0x0 bm = {to_tag_val = {s = 0x7fffd5916710 "", len = 10879832}} totag_retr = 0 reply_status = RPS_ERROR uas_rb = 0x0 to_tag = 0xffffffffffffffff reason = {s = 0x7fffd5916800 "", len = 1354191177} onsend_params = {req = 0x1658, rpl = 0x7f4e2c6fb6c8, param = 0x7fffd59168f0, code = 1490575056, flags = 1, branch = 0, t_rbuf = 0x7fffd59166d0, dst = 0x69621b <qm_shm_gunlock+27>, send_buf = {s = 0x20000000 <Address 0x20000000 out of bounds>, len = 745283584}} ip = {af = 3583076016, len = 1, u = {addrl = {139973729695432, 140736776464048}, addr32 = {745518792, 32590, 3583076016, 32767}, addr16 = {46792, 11375, 32590, 0, 26288, 54673, 32767, 0}, addr = "ȶo,N\177\000\000\260f\221\325\377\177\000"}} __FUNCTION__ = "relay_reply" #10 0x00007f4e50c20b5b in fake_reply (t=0x7f4e2cd0d928, branch=0, code=408) at timer.c:340 cancel_data = {cancel_bitmap = 0, reason = {cause = 0, u = {text = {s = 0x0, len = 751884584}, e2e_cancel = 0x0, packed_hdrs = {s = 0x0, len = 751884584}}}} do_cancel_branch = 0 reply_status = 89742 #11 0x00007f4e50c20fe8 in final_response_handler (r_buf=0x7f4e2cd0db50, t=0x7f4e2cd0d928) at timer.c:506 silent = 0 branch_ret = 0 prev_branch = 67108864 now = 536870912 #12 0x00007f4e50c21097 in retr_buf_handler (ticks=262070135, tl=0x7f4e2cd0db70, p=0x3e8) at timer.c:562 rbuf = 0x7f4e2cd0db50 fr_remainder = 3605054132 retr_remainder = 32590 retr_interval = 745526704 new_retr_interval_ms = 4681055710 crt_retr_interval_ms = 14800566388280090447 t = 0x7f4e2cd0d928 __FUNCTION__ = "retr_buf_handler" #13 0x00000000004a0134 in timer_list_expire (t=262070135, h=0x7f4e2c741690, slow_l=0x7f4e2c7418c8, slow_mark=0) at core/timer.c:874 tl = 0x7f4e2cd0db70 ret = 0 #14 0x00000000004a0595 in timer_handler () at core/timer.c:939 saved_ticks = 262070135 run_slow_timer = 0 i = 0 __FUNCTION__ = "timer_handler" #15 0x00000000004a0a3f in timer_main () at core/timer.c:978 No locals. #16 0x0000000000425416 in main_loop () at main.c:1693 i = 32 pid = 0 si = 0x0 si_desc = "udp receiver child=31 sock=177.53.143.38:5080\000\000\000`j\221\325\377\177\000\000\320^\330XN\177\000\000\060m\221\325\377\177\000\000\023r|\000\000\000\000\000Z\000\000\000\000\000\000\000\000\000\000 \000\000\000\000\000\000\000\004\000\000\000\000__\330XN\177\000\000\200bx\000\000\000\000\000@z\216UN\177\000" nrprocs = 32 woneinit = 1 __FUNCTION__ = "main_loop" #17 0x000000000042c078 in main (argc=9, argv=0x7fffd5916e18) at main.c:2645 cfg_stream = 0x2851010 c = -1 r = 0 tmp = 0x7fffd5917f66 "" tmp_len = 0 port = 0 proto = 0 options = 0x768aa0 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:" ret = -1 seed = 4016190000 rfd = 4 debug_save = 0 debug_flag = 0 dont_fork_cnt = 0 n_lst = 0x0 p = 0x0 st = {st_dev = 20, st_ino = 32456, st_nlink = 2, st_mode = 16832, st_uid = 0, st_gid = 2, __pad0 = 0, st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1551072083, tv_nsec = 812037328}, st_mtim = {tv_sec = 1551417587, tv_nsec = 481360795}, st_ctim = {tv_sec = 1551417587, tv_nsec = 481360795}, __unused = {0, 0, 0}} __FUNCTION__ = "main" ```