Hi
We experimented a crash with
kamailio 4.0.5 , it looks like a memory corruption.
After an analyse of the core
file, it appears that it crashed while doing a str2int
transformation (trying to convert the value of myvar to int):
if
(($(dlg_var("myvar"){s.int}) == 0) &&
some_other_condition ) {
do_something();
}
gdb output:
(gdb) frame
4
#4
0x00000000004bcb77 in rval_get_btype (h=0x7fffd69713d0,
msg=0x7ffc8a58a4d0, rv=0x7ffc8a3dfc18,
val_cache=0x7fffd69706a0) at rvalue.c:418
418in
rvalue.c
(gdb) i loc
r_avp =
0x7fffd69709b0
tmp_avp_val
= {n = -1975661232, s = {s = 0x7ffc8a3dcd50 "\034\001", len =
-1973902128}, re = 0x7ffc8a3dcd50}
avpv =
0x7fffd6970928
tmp_pval =
{rs = {s = 0x7ffc8a5b86e0 "route[MAIN]:
call-id=52e8c2b553540db4 from=987654321 to=+1234567890 : ACK
ip=10.0.x.x", len = -1975658024}, ri = -694745968, flags =
32767}
pv =
0x7fffd69706a8
tmp =
RV_NONE
ptype =
0x7ffc8a58a4d0
__FUNCTION__
= "rval_get_btype"
(gdb) p *pv
$8 = {rs =
{s = 0x7069736f58652820 <Address 0x7069736f58652820 out of
bounds>, len = 775106354}, ri = 0, flags = 4}
(gdb) p
val_cache->c.pval
$9 = {rs =
{s = 0x7069736f58652820 <Address 0x7069736f58652820 out of
bounds>, len = 775106354}, ri = 0, flags = 4} <- the
value of s is invalid, it's a string from a SIP message.
Full GDB backtrace and info
locals here :
I still have the
core file and I can help with further analysis .
Regards,
Dragos
PS: Kamailio still rocks.
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users