Kamailio 1.5.4 crashes with the following backtrace.
(gdb) bt #0 free_to_params (tb=0x79ffc0) at parser/parse_to.c:79 #1 free_to (tb=0x79ffc0) at parser/parse_to.c:88 #2 0x000000000047fe82 in clean_hdr_field (hf=0x2b32776ec6a0) at parser/hf.c:187 #3 0x00002b327492f525 in clean_msg_clone (type=<value optimized out>, trans=<value optimized out>, req=0x2b32776eb510, rpl=0x79f220, code=<value optimized out>) at sip_msg.h:54 #4 run_trans_callbacks (type=<value optimized out>, trans=<value optimized out>, req=0x2b32776eb510, rpl=0x79f220, code=<value optimized out>) at t_hooks.c:245 #5 0x00002b3274949a1d in relay_reply (t=0x2b32776ed130, p_msg=0x79f220, branch=<value optimized out>, msg_status=200, cancel_bitmap=0x7fff5438ecf8) at t_reply.c:1163 #6 0x00002b327494a123 in reply_received (p_msg=0x79f220) at t_reply.c:1511 #7 0x000000000041f08b in forward_reply (msg=0x79f220) at forward.c:576 #8 0x0000000000445453 in receive_msg ( buf=0x719200 "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP xxx.xxx.xxx.114;branch=z9hG4bKb415.46c549d2.0\r\nVia: SIP/2.0/UDP xx.xxx.xx.xxx:5060;received=xxx.xxx.xx.xxx;branch=z9hG4bK6cd2ebfb;rport=5060\r\nRecord-Route: <sip:xxx.xxx.xxx.x"..., len=1106, rcv_info=0x7fff5438ede0) at receive.c:212 #9 0x00000000004795ee in udp_rcv_loop () at udp_server.c:449 #10 0x000000000042774e in main_loop (argc=3, argv=0x7fff5438eff8) at main.c:774 #11 main (argc=3, argv=0x7fff5438eff8) at main.c:1321
This is occuring on a centos box, 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:32:21 EST 2010 x86_64 x86_64 x86_64 GNU/Linux
The really strange thing is the source of the problem appears to be in clean_hdr_field (hf=0x2b32776ec6a0) at parser/hf.c:187
void clean_hdr_field(struct hdr_field* hf) { if (hf->parsed){ switch(hf->type){
...
case HDR_RPID_T: free_to(hf->parsed); break;
...
output from gdb shows hf->parsed to be NULL, however the call to free_to(hf->parsed) is being called, from there bad things happen.
Thanks in advance.
Gene
On 08/30/2010 11:33 AM, gwillingham@comcast.net wrote:
output from gdb shows hf->parsed to be NULL, however the call to free_to(hf->parsed) is being called, from there bad things happen.
Sounds like a double free(), or a free() of something that was never allocated.
On Monday 30 August 2010, Alex Balashov wrote:
On 08/30/2010 11:33 AM, gwillingham@comcast.net wrote:
output from gdb shows hf->parsed to be NULL, however the call to free_to(hf->parsed) is being called, from there bad things happen.
Sounds like a double free(), or a free() of something that was never allocated.
Hello Gene,
1.5.4 was released in February, i think - do you use the version from tar.gz? I've checked the file in question, there were one fix in the last month:
r6036 | miconda | 2010-07-30 20:18:33 +0200 (Fr, 30 Jul 2010) | 4 lines - fix off-by-one bug for quoted parameter values in parse_to - patch by Alex Hermann, SF#3035382
which maybe could help you here. I'd suggest that you extract the SIP message in question from the backtrace (receive_msg, buf) and then try to reproduce the crash. If it crash again, just update to the latest 1.5 branch state, and see if it crashes again. It contains some more fixes, one or two also could cause crashes in some special conditions.
Cheers,
Henning
We were experiencing the issue with 1.5.4 released version, we upgraded from svn and the issue still persists. I have a backtrace from both versions.
I agree it is a free of a null pointer, but the if(hf->parsed) should be the test for NULL, and only execute code if not NULL. However this test is failing.
----- Original Message ----- From: "Henning Westerholt" henning.westerholt@1und1.de To: sr-users@lists.sip-router.org Cc: "Alex Balashov" abalashov@evaristesys.com, gwillingham@comcast.net Sent: Monday, August 30, 2010 11:45:11 AM Subject: Re: [SR-Users] Kamailio 1.5.4 crash
On Monday 30 August 2010, Alex Balashov wrote:
On 08/30/2010 11:33 AM, gwillingham@comcast.net wrote:
output from gdb shows hf->parsed to be NULL, however the call to free_to(hf->parsed) is being called, from there bad things happen.
Sounds like a double free(), or a free() of something that was never allocated.
Hello Gene,
1.5.4 was released in February, i think - do you use the version from tar.gz? I've checked the file in question, there were one fix in the last month:
r6036 | miconda | 2010-07-30 20:18:33 +0200 (Fr, 30 Jul 2010) | 4 lines - fix off-by-one bug for quoted parameter values in parse_to - patch by Alex Hermann, SF#3035382
which maybe could help you here. I'd suggest that you extract the SIP message in question from the backtrace (receive_msg, buf) and then try to reproduce the crash. If it crash again, just update to the latest 1.5 branch state, and see if it crashes again. It contains some more fixes, one or two also could cause crashes in some special conditions.
Cheers,
Henning
2010/8/30 gwillingham@comcast.net:
We were experiencing the issue with 1.5.4 released version, we upgraded from svn and the issue still persists. I have a backtrace from both versions.
I agree it is a free of a null pointer, but the if(hf->parsed) should be the test for NULL, and only execute code if not NULL. However this test is failing.
Do you have a SIP flow/trace to reproduce the crash?
On Tuesday 31 August 2010, Iñaki Baz Castillo wrote:
I agree it is a free of a null pointer, but the if(hf->parsed) should be the test for NULL, and only execute code if not NULL. However this test is failing.
Do you have a SIP flow/trace to reproduce the crash?
Hi Iñaki,
i discussed with Gene privatly, he send me the message in question, so far it looked ok. Apparently its related to an Re-INVITE. I also asked Marius to have a look to it.
Cheers,
Henning
-
Alex Balashov -
gwillingham@comcast.net -
Henning Westerholt -
Iñaki Baz Castillo