Hi
We experimented a crash with kamailio 4.0.5 , it looks like a memory corruption.
After an analyse of the core file, it appears that it crashed while doing a str2int transformation (trying to convert the value of myvar to int):
if (($(dlg_var("myvar"){s.int}) == 0) && some_other_condition ) { do_something(); }
gdb output:
(gdb) frame 4 #4 0x00000000004bcb77 in rval_get_btype (h=0x7fffd69713d0, msg=0x7ffc8a58a4d0, rv=0x7ffc8a3dfc18, val_cache=0x7fffd69706a0) at rvalue.c:418 418in rvalue.c (gdb) i loc r_avp = 0x7fffd69709b0 tmp_avp_val = {n = -1975661232, s = {s = 0x7ffc8a3dcd50 "\034\001", len = -1973902128}, re = 0x7ffc8a3dcd50} avpv = 0x7fffd6970928 tmp_pval = {rs = {s = 0x7ffc8a5b86e0 "route[MAIN]: call-id=52e8c2b553540db4 from=987654321 to=+1234567890 : ACK ip=10.0.x.x", len = -1975658024}, ri = -694745968, flags = 32767} pv = 0x7fffd69706a8 tmp = RV_NONE ptype = 0x7ffc8a58a4d0 __FUNCTION__ = "rval_get_btype" (gdb) p *pv $8 = {rs = {s = 0x7069736f58652820 <Address 0x7069736f58652820 out of bounds>, len = 775106354}, ri = 0, flags = 4} (gdb) p val_cache->c.pval $9 = {rs = {s = 0x7069736f58652820 <Address 0x7069736f58652820 out of bounds>, len = 775106354}, ri = 0, flags = 4} <- the value of s is invalid, it's a string from a SIP message.
Full GDB backtrace and info locals here : kamailio 4.0.5 crash - memory corruption ? - Pastebin.com
kamailio 4.0.5 crash - memory corruption ? - Pastebin.co... (gdb) bt full #0 0x00007ffc822851e8 in str2sint (_s=0x7fffd69706a8, _r=0x7fffd69706b8) at ../../ut.h:681 i = 0 sign = 1 View on pastebin.com Preview by Yahoo
I still have the core file and I can help with further analysis .
Regards, Dragos
PS: Kamailio still rocks.
Hello,
do you know if it was an ACK for a negative response?
I looked a bit over the code and the issue could be with the lifetime of the dlg variable.
Cheers, Daniel
On 30/04/14 13:39, Dragos Oancea wrote:
Hi
We experimented a crash with kamailio 4.0.5 , it looks like a memory corruption.
After an analyse of the core file, it appears that it crashed while doing a str2int transformation (trying to convert the value of myvar to int):
if (($(dlg_var("myvar"){s.int}) == 0) && some_other_condition ) { do_something(); }
gdb output:
(gdb) frame 4 #4 0x00000000004bcb77 in rval_get_btype (h=0x7fffd69713d0, msg=0x7ffc8a58a4d0, rv=0x7ffc8a3dfc18, val_cache=0x7fffd69706a0) at rvalue.c:418 418in rvalue.c (gdb) i loc r_avp = 0x7fffd69709b0 tmp_avp_val = {n = -1975661232, s = {s = 0x7ffc8a3dcd50 "\034\001", len = -1973902128}, re = 0x7ffc8a3dcd50} avpv = 0x7fffd6970928 tmp_pval = {rs = {s = 0x7ffc8a5b86e0 "route[MAIN]: call-id=52e8c2b553540db4 from=987654321 to=+1234567890 : ACK ip=10.0.x.x", len = -1975658024}, ri = -694745968, flags = 32767} pv = 0x7fffd69706a8 tmp = RV_NONE ptype = 0x7ffc8a58a4d0 __FUNCTION__ = "rval_get_btype" (gdb) p *pv $8 = {rs = {s = 0x7069736f58652820 <Address 0x7069736f58652820 out of bounds>, len = 775106354}, ri = 0, flags = 4} (gdb) p val_cache->c.pval $9 = {rs = {s = 0x7069736f58652820 <Address 0x7069736f58652820 out of bounds>, len = 775106354}, ri = 0, flags = 4} <- the value of s is invalid, it's a string from a SIP message.
Full GDB backtrace and info locals here : kamailio 4.0.5 crash - memory corruption ? - Pastebin.com http://pastebin.com/9S06nsyd
image http://pastebin.com/9S06nsyd
kamailio 4.0.5 crash - memory corruption ? - Pastebin.co... http://pastebin.com/9S06nsyd (gdb) bt full #0 0x00007ffc822851e8 in str2sint (_s=0x7fffd69706a8, _r=0x7fffd69706b8) at ../../ut.h:681 i = 0 sign = 1
View on pastebin.com http://pastebin.com/9S06nsyd
Preview by Yahoo
I still have the core file and I can help with further analysis .
Regards, Dragos
PS: Kamailio still rocks.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Dragos Oancea