Avoid crash (dereferencing null pointer) if there is no VIA header in sip message You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/952
-- Commit Summary --
* bugfix in topoh module: avoid crashing (dereferencing null pointer) if there is no VIA header in sip message
-- File Changes --
M modules/topoh/th_msg.c (3)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/952.patch https://github.com/kamailio/kamailio/pull/952.diff
I am curious when this was happening, because there should be at least one via header and iirc, there is basic parsing done for it and lack of a via should trigger an error.
I will merge the patch, but first in master and the pick it into 4.4.
@miconda: You are right, the Via header was present as indicated in this backtrace (see `#10`). However, for some reason, the via parameter in #0 was NULL.
Program terminated with signal 11, Segmentation fault. #0 0x00007fa8d159ac95 in th_get_via_cookie (msg=0x7ffdf612dc10, via=0x0) at th_msg.c:957 957 for(p=via->param_lst; p; p=p->next) Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-20.el7_2.x86_64 glibc-2.17-157.el7_3.1.x86_64 jansson-2.4-6.el7.x86_64 json-c-0.11-4.el7_0.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.14.1-27.el7_3.x86_64 libcom_err-1.42.9-9.el7.x86_64 libev-4.15-6.el7.x86_64 libselinux-2.5-6.el7.x86_64 nspr-4.11.0-1.el7_2.x86_64 nss-3.21.3-2.el7_3.x86_64 nss-softokn-freebl-3.16.2.3-14.4.el7.x86_64 nss-util-3.21.3-1.1.el7_3.x86_64 openldap-2.4.40-13.el7.x86_64 openssl-libs-1.0.1e-60.el7.x86_64 pcre-8.32-15.el7_2.1.x86_64 postgresql94-libs-9.4.10-1PGDG.rhel7.x86_64 zlib-1.2.7-17.el7.x86_64 (gdb) bt #0 0x00007fa8d159ac95 in th_get_via_cookie (msg=0x7ffdf612dc10, via=0x0) at th_msg.c:957 #1 0x00007fa8d159b90c in th_get_cookie (msg=0x7ffdf612dc10, clen=0x7fa8d17aa628 <th_cookie_value+8>) at th_msg.c:1065 #2 0x00007fa8d15a3705 in th_msg_sent (data=0x7ffdf612e450) at topoh_mod.c:403 #3 0x00000000005e16dd in sr_event_exec (type=2, data=0x7ffdf612e450) at events.c:231 #4 0x00007fa8d8438662 in msg_send_buffer (dst=0x7fa8d4624650, buf=0x7fa8dd4cfc10 "SIP/2.0 487 Request Terminated\r\nFrom: "84471099984" sip:84471099984@192.168.51.1;tag=323189895\r\nTo: sip:841236404100@192.168.51.1:5060;tag=5761265b6273333e\r\nServer: VOS2009 V2.1.2.0\r\nCSeq: 143 INV"..., len=389, flags=0) at ../../forward.h:138 #5 0x00007fa8d843c675 in send_pr_buffer (rb=0x7fa8d4624600, buf=0x7fa8dd4cfc10, len=389) at t_funcs.c:70 #6 0x00007fa8d83e6f2b in relay_reply (t=0x7fa8d4624540, p_msg=0x7fa8dd4f0070, branch=1, msg_status=487, cancel_data=0x7ffdf612e8e0, do_put_on_wait=1) at t_reply.c:1943 #7 0x00007fa8d83ea3f8 in reply_received (p_msg=0x7fa8dd4f0070) at t_reply.c:2466 #8 0x000000000053620b in do_forward_reply (msg=0x7fa8dd4f0070, mode=0) at forward.c:747 #9 0x00000000005379c9 in forward_reply (msg=0x7fa8dd4f0070) at forward.c:849 #10 0x000000000059291c in receive_msg ( buf=0xa12b00 <buf.6635> "SIP/2.0 487 Request Terminated\r\nVia: SIP/2.0/UDP 163.44.192.229;branch=z9hG4bK0a54.95248b9941e41f2ea14c3391d07c3615.1\r\nFrom: "84471099984" sip:84471099984@192.168.51.1;tag=323189895\r\nTo: <sip:841236"..., len=476, rcv_info=0x7ffdf612ed60) at receive.c:299 #11 0x00000000004bca5e in udp_rcv_loop () at udp_server.c:495 #12 0x0000000000544b3e in main_loop () at main.c:1614 #13 0x000000000054c08f in main (argc=5, argv=0x7ffdf612f278) at main.c:2631 (gdb) p via $1 = (struct via_body *) 0x0 (gdb)
Thank! I will try too look more into it and see if there is something wrong. Your patch is in master and 4.4 branches now.
Closed #952.
-
Daniel-Constantin Mierla -
Minh PHAN