[tracker] Task opened: Double Free -- Crash/Coredump and possible security vulnerability - sr-dev

7 Nov 2011


      THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
A new Flyspray task has been opened.  Details are below.
User who did this - Bayan Towfiq (btowfiq)
Attached to Project - sip-router
Summary - Double Free -- Crash/Coredump and possible security vulnerability
Task Type - Bug Report
Category - dialog
Status - Assigned
Assigned To - Timo Reimann
Operating System - Linux
Severity - Critical
Priority - Normal
Reported Version - Development
Due in Version - Undecided
Due Date - Undecided
Details - version: kamailio 3.2.0 (x86_64/linux) 639f0a
flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 639f0a 
compiled on 07:18:31 Oct 29 2011 with gcc 4.4.3
Dialog module crashed in kamailio 3.2.0 with the following log error (double free) and below backtrace.  This is a potential remote security vulnerability in addition to the crash which is why severity is set to Critical.  Please let me know if further information is needed to debug.
Nov  6 18:04:33 guru /usr/local/sbin/kamailio[8282]: CRITICAL: dialog [dlg_hash.c:597]: bogus ref -1 with cnt 1 for dlg 0x7f47dbd0eee8 [16086:1982422345] with clid '1124787051_76787956@4.55.17.35' and tags 'gK0a13fca4' '' Nov  6 18:04:33 guru /usr/local/sbin/kamailio[8282]: : <core> [mem/q_malloc.c:457]: BUG: qm_free: freeing already freed pointer, first free: dialog: dlg_hash.c: destroy_dlg(217) - aborting Nov  6 18:04:33 guru /usr/local/sbin/kamailio[8294]: : <core> [pass_fd.c:293]: ERROR: receive_fd: EOF on 18 Nov  6 18:04:33 guru /usr/local/sbin/kamailio[8272]: ALERT: <core> [main.c:751]: child process 8282 exited by a signal 6 Nov  6 18:04:33 guru /usr/local/sbin/kamailio[8272]: ALERT: <core> [main.c:754]: core was generated Nov  6 18:05:33 guru /usr/local/sbin/kamailio[8272]: : <core> [main.c:660]: BUG: shutdown timeout triggered, dying... Nov  6 18:05:34 guru init: kamailio main process (8272) killed by ABRT signal Nov  6 18:05:34 guru init: kamailio main process ended,
respawning Nov  6 18:05:34 guru kamailio: WARNING: <core> [daemonize.c:352]: pid file contains old pid, replacing pid
Full backtrace below:
(gdb) bt full
#0  0x00007f47f38b3a75 in raise () from /lib/libc.so.6
No symbol table info available.
#1  0x00007f47f38b75c0 in abort () from /lib/libc.so.6
No symbol table info available.
#2  0x0000000000534708 in qm_free (qm=0x7f47db9be000, p=0x7f47dbe5d3a8, file=0x7f47ec231bef "dialog: dlg_hash.c", func=0x7f47ec231f52 "destroy_dlg", line=217) at mem/q_malloc.c:458
        f = 0x7f47dbe5d378
        size = <value optimized out>
#3  0x00007f47ec218161 in destroy_dlg (dlg=0x7f47dbd0eee8) at dlg_hash.c:217
        ret = <value optimized out>
        __FUNCTION__ = "destroy_dlg"
#4  0x00007f47ec21a545 in unref_dlg (dlg=0x7f47dbd0eee8, cnt=0) at dlg_hash.c:597
        d_entry = 0x7f47dbcb1c80
#5  0x00007f47f193d5bd in free_cell (dead_cell=0x7f47dbe48920) at h_table.c:175
        b = <value optimized out>
        i = <value optimized out>
        rpl = <value optimized out>
        tt = <value optimized out>
        foo = <value optimized out>
        cbs = 0x7f47dbcc5970
        __FUNCTION__ = "free_cell"
#6  0x00007f47f195991b in wait_handler (ti=<value optimized out>, wait_tl=<value optimized out>, data=<value optimized out>) at timer.c:676
        p_cell = 0x7f47dbe48920
#7  0x000000000051f4fd in timer_list_expire () at timer.c:894
        tl = 0x7f47dbe489a0
        ret = <value optimized out>
#8  timer_handler () at timer.c:959
        saved_ticks = 444520143
        run_slow_timer = <value optimized out>
#9  timer_main () at timer.c:998
No locals.
#10 0x000000000046454f in main_loop () at main.c:1655
        i = 8
        pid = <value optimized out>
        si = 0x0
        si_desc = "udp receiver child=7 sock=70.167.153.130:5060\000\000\000\000\000@\020", '\000' <repeats 12 times>, "\016\b\000\000\000\000\000\000\000\200\271،*\306v&\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\300\v\215\000\000\000\000\000"\000\000\000\000\000\000\000\000\000@\020", '\000' <repeats 11 times>
#11 0x0000000000465dd2 in main (argc=11, argv=0x7fff47fcb288) at main.c:2475
        cfg_stream = <value optimized out>
        c = <value optimized out>
        r = <value optimized out>
        tmp = 0x7fff47fcbe83 ""
        tmp_len = 0
        port = <value optimized out>
        proto = <value optimized out>
        ret = <value optimized out>
        seed = 1033789824
        rfd = <value optimized out>
        debug_save = 272629760
        debug_flag = 34
        dont_fork_cnt = 0
        n_lst = 0x10400000
        p = <value optimized out>
(gdb)
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173
You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.