Hello,
we had segfault today. Kamailio has been running for few months without problems.
Nov 18 10:51:20 sbc kernel: [11326028.926502] kamailio[14452]: segfault at 30 ip 00007f20f7f3838a sp 00007ffef3ab7b10 error 4 in siptrace.so[7f20f7f23000+27000]
GDB: Reading symbols from kamailio...done. [New LWP 14452] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/local/sbin/kamailio -f /etc/kamailio/kamailio.cfg -P /var/run/kamailio/kam'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f20f7f3838a in sip_trace (msg=0x7f2100f96750, dst=0x0, dir=0x0) at siptrace.c:1041 1041 sto.totag = get_to(msg)->tag_value; (gdb) bt #0 0x00007f20f7f3838a in sip_trace (msg=0x7f2100f96750, dst=0x0, dir=0x0) at siptrace.c:1041 #1 0x0000000000457ca9 in do_action (h=0x7ffef3ab8320, a=0x7f2100b8a928, msg=0x7f2100f96750) at action.c:1053 #2 0x0000000000463cb9 in run_actions (h=0x7ffef3ab8320, a=0x7f2100b8a928, msg=0x7f2100f96750) at action.c:1548 #3 0x00000000004643bf in run_top_route (a=0x7f2100b8a928, msg=0x7f2100f96750, c=0x0) at action.c:1634 #4 0x0000000000573ea7 in receive_msg ( buf=0x9c9400 <buf> "OPTIONS sip:100@XXX.XXX.XX.XX SIP/2.0\r\nv: SIP/2.0/UDP 69.64.39.119:5060;branch=z9hG4bK-82135822;rport\r\nContent-Length: 0\r\nf: "MisterX"sip:100@1.1.1.1;tag=61326665333131663133633401333733313630343335"..., len=357, rcv_info=0x7ffef3ab85b0) at receive.c:196 #5 0x0000000000493ff5 in udp_rcv_loop () at udp_server.c:495 #6 0x000000000051fdd7 in main_loop () at main.c:1573 #7 0x0000000000525b6b in main (argc=13, argv=0x7ffef3ab8998) at main.c:2533 (gdb) quit
Our IP is hidden, but there is 69.64.39.119, which is foreign address and I think, it was attack. Unfortunatelly I don't have SIP packet details, but you can see 1.1.1.1 or strange tag or content-length=0 in received message.
I looked into siptrace.c and there is function sip_trace_prepare where is get_from(msg) checked, but no get_to(msg). This function is run from main sip_trace function. So I think, we need also check get_to(msg) function.
I just disabled siptrace module, but we need it.
Thank you. Marian
Forget on this.. I see it's fixed in latest 4.3.3 version.. I'm sorry.
Dňa 18.11.2015 o 18:36 Marian Piater napísal(a):
Hello,
we had segfault today. Kamailio has been running for few months without problems.
Nov 18 10:51:20 sbc kernel: [11326028.926502] kamailio[14452]: segfault at 30 ip 00007f20f7f3838a sp 00007ffef3ab7b10 error 4 in siptrace.so[7f20f7f23000+27000]
GDB: Reading symbols from kamailio...done. [New LWP 14452] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/local/sbin/kamailio -f /etc/kamailio/kamailio.cfg -P /var/run/kamailio/kam'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f20f7f3838a in sip_trace (msg=0x7f2100f96750, dst=0x0, dir=0x0) at siptrace.c:1041 1041 sto.totag = get_to(msg)->tag_value; (gdb) bt #0 0x00007f20f7f3838a in sip_trace (msg=0x7f2100f96750, dst=0x0, dir=0x0) at siptrace.c:1041 #1 0x0000000000457ca9 in do_action (h=0x7ffef3ab8320, a=0x7f2100b8a928, msg=0x7f2100f96750) at action.c:1053 #2 0x0000000000463cb9 in run_actions (h=0x7ffef3ab8320, a=0x7f2100b8a928, msg=0x7f2100f96750) at action.c:1548 #3 0x00000000004643bf in run_top_route (a=0x7f2100b8a928, msg=0x7f2100f96750, c=0x0) at action.c:1634 #4 0x0000000000573ea7 in receive_msg ( buf=0x9c9400 <buf> "OPTIONS sip:100@XXX.XXX.XX.XX SIP/2.0\r\nv: SIP/2.0/UDP 69.64.39.119:5060;branch=z9hG4bK-82135822;rport\r\nContent-Length: 0\r\nf: "MisterX"sip:100@1.1.1.1;tag=61326665333131663133633401333733313630343335"..., len=357, rcv_info=0x7ffef3ab85b0) at receive.c:196 #5 0x0000000000493ff5 in udp_rcv_loop () at udp_server.c:495 #6 0x000000000051fdd7 in main_loop () at main.c:1573 #7 0x0000000000525b6b in main (argc=13, argv=0x7ffef3ab8998) at main.c:2533 (gdb) quit
Our IP is hidden, but there is 69.64.39.119, which is foreign address and I think, it was attack. Unfortunatelly I don't have SIP packet details, but you can see 1.1.1.1 or strange tag or content-length=0 in received message.
I looked into siptrace.c and there is function sip_trace_prepare where is get_from(msg) checked, but no get_to(msg). This function is run from main sip_trace function. So I think, we need also check get_to(msg) function.
I just disabled siptrace module, but we need it.
Thank you. Marian
-
Marian Piater