THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened. Details are below.

User who did this - Hugh Waite (hugh.waite)

Attached to Project - sip-router Summary - Crash in core when freeing shm dup'ed request Task Type - Bug Report Category - Core Status - New Assigned To - Operating System - All Severity - High Priority - Normal Reported Version - Development Due in Version - Undecided Due Date - Undecided Details - I have found a crash in core/tm which is easily reproducible. An OPTIONS passes through kamailio to another kamailio server which responds with a 403. The response enters a failure route and crashes (due to an abort) when attempting to free the memory in the faked_req structure.

Attached is the backtrace and the relevant section of the DEBUG level output.

It appears from the DEBUG, that a pkg-memory address is stored in the shm_cloned structure, which is invalid when attempting to free from a different process. The allocated address in this core is 0x7fd12559ee28 called from parse_from_header.

This only occurs when the Via branch is 'pre-RFC3261'. In this case the perpetrator is using "branch=foo".

I think the allocation occurs in char_msg_val.h:83 where the from body is parsed to extract the tag (only for pre-3261 requests). h_table.c:309 build_cell h_table.c:390 init_synonym_id h_table.c:274 char_mag_val

The tm module is pretty stable (last relevant change was removing the syn_branch parameter in May 2013) so I would rather have some guidance before making changes.

One or more files have been attached.

More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=454

You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.