[ openser-Bugs-2797928 ] Segfaults in dialog_update_db - sr-dev

10 Nov 2009


      Bugs item #2797928, was opened at 2009-05-28 15:54
Message generated for change (Comment added) made by axlh
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=2797928...
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.5.x
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Alex Hermann (axlh)
Assigned to: Nobody/Anonymous (nobody)
Summary: Segfaults in dialog_update_db
Initial Comment:
dialog_update_db() is very crashy. It doesn't do any sanity checks on pointers and as a consequence crashes a lot.
I've seen at least 2 occasions at which is crashes:
1) Calling dlg_manage() on a non-invite message
2) Worse, on an invalid message. When a 200 OK is missing a contact header, I get error messages from populate_leg_info():
ERROR:dialog:populate_leg_info: bad sip message or missing Contact hdr
ERROR:dialog:dlg_onreply: could not add further info to the dialog
But afterwards dialog_update_db segfaults on an invalid bind_addr, from the backtrace:
(gdb) bt
#0  0xb783c41a in dialog_update_db (ticks=771000, param=0x0) at dlg_db_handler.c:629
#1  0x080a9726 in start_timer_processes () at timer.c:282
#2  0x08069b38 in main (argc=10, argv=0xbfc6f2d4) at main.c:816
Line 629 is for my version:  SET_STR_VALUE(values+8, cell->bind_addr[DLG_CALLEE_LEG]->sock_str);
(gdb) bt full
<snip>
{type = DB_STR, nul = 0, free = -1282894544, val = {int_val = 178, ll_val = -5201380350948802382, double_val = -7.7990737395388139e-40, time_val = 178, string_val = 0xb2 "", str_val = {s = 0xb2 "", len = -1211040735}, blob_val = {s = 0xb2 "", len = -1211040735}, bitmap_val = 178}}
<snip>
----------------------------------------------------------------------
...
Comment By: Alex Hermann (axlh)
Date: 2009-11-10 17:18
Message:
I haven't had any crashes recently, so it seems fixed. I haven't, however, 
tried calling dlg_manage() on an INVITE anymore.
----------------------------------------------------------------------
Comment By: Daniel-Constantin Mierla (miconda)
Date: 2009-06-01 12:18
Message:
Can you check latest svn? I added some safety checks ... still code to
review, though...
----------------------------------------------------------------------
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=2797928...