[Devel] [ openser-Bugs-1537245 ] mod_mangle crash

SourceForge.net noreply at sourceforge.net
Thu Aug 10 11:32:07 CEST 2006

Bugs item #1537245, was opened at 2006-08-09 12:26
Message generated for change (Comment added) made by miconda
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.1.x
>Status: Pending
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
>Assigned to: Daniel-Constantin Mierla (miconda)
Summary: mod_mangle crash

Initial Comment:
mailto:michal.kara at nextiraone.cz

I am expiriencing crash that seems to happen when 
mod_mediaproxy's fix_contact() rewrites contact and I 
subsequently call encode_contact(). When fix_contact() 
is called but contact is not changed, all works OK. 
This bug has been there since 0.9.x.

 0(14215) SIP Request:
 0(14215)  method:  <INVITE>
 0(14215)  uri:     <sip:zdenek at>
 0(14215)  version: <SIP/2.0>
 0(14215) parse_headers: flags=2
 0(14215) Found param type 232, <branch> = <z9hG4bK-
d87543-767618259b786972-1--d87543->; state=6
 0(14215) Found param type 235, <rport> = <n/a>; 
 0(14215) end of header reached, state=5
 0(14215) parse_headers: Via found, flags=2
 0(14215) parse_headers: this is the first via
 0(14215) After parse_msg...
 0(14215) preparing to run routing scripts...
 0(14215) parse_headers: flags=100
 0(14215) DEBUG:maxfwd:is_maxfwd_present: value = 70
 0(14215) LOG: uri=sip:zdenek at
 0(14215) parse_headers: flags=80
 0(14215) LOG: Someone trying to register from private 
IP, rewriting
 0(14215) parse_headers: flags=80
 0(14215) parse_headers: flags=8000000
 0(14215) DEBUG:parse_to:end of header reached, 
 0(14215) DBUG:parse_to: display={}, ruri=
{sip:zdenek at}
 0(14215) DEBUG: get_hdr_field: <To> [29]; uri=
[sip:zdenek at]
 0(14215) DEBUG: to body [<sip:zdenek at>
 0(14215) get_hdr_field: cseq <CSeq>: <1> <INVITE>
 0(14215) BUG: del_lump: offset exceeds message size 
(239840 > 938) aborting...

Here's backtrace:

(gdb) bt
#0  0x4005a7c1 in kill () from /lib/libc.so.6
#1  0x4005a545 in raise () from /lib/libc.so.6
#2  0x4005ba88 in abort () from /lib/libc.so.6
#3  0x08053d8c in del_lump (msg=0x81279d0, 
offset=239840, len=30,
    type=HDR_OTHER_T) at data_lump.c:288
#4  0x40221e97 in patch (msg=0x6, oldstr=0x0, oldlen=0,
newstr=0x81246a8 "sip:encoded*michal***621
    newlen=0) at utils.c:53
#5  0x4021e5a1 in encode_contact (msg=0x81279d0,
    encoding_prefix=0x8125770 "encoded", 
public_ip=0x81257f8 "")
    at contact_ops.c:114
#6  0x0805071b in do_action (a=0x8125880, 
msg=0x81279d0) at action.c:701
#7  0x08050631 in do_action (a=0x81258b0, 
msg=0x81279d0) at action.c:89
#8  0x08050631 in do_action (a=0x8125940, 
msg=0x81279d0) at action.c:89
#9  0x08050631 in do_action (a=0x8125970, 
msg=0x81279d0) at action.c:89
#10 0x080522c2 in run_actions (a=0x81247e0, 
msg=0x81279d0) at action.c:89
#11 0x08051f2e in run_top_route (a=0x0, msg=0x0) at 
#12 0x08071ec1 in receive_msg (
    buf=0x80ea340 "INVITE sip:zdenek at 
SIP/2.0\r\nVia: SIP/2.0/UDP;branch=z9hG4bK-d87543-
Forwards: 69\r\nContact: 
<sip:michal at>\r\nTo: <sip:"...,
    len=938, rcv_info=0xbffffbb0) at receive.c:155
#13 0x08089654 in udp_rcv_loop () at udp_server.c:465
---Type <return> to continue, or q <return> to quit---
#14 0x08063b64 in main_loop () at main.c:925
#15 0x08064fae in main (argc=7, argv=0xbffffd34) at 

Configuration file snippet:


# main routing logic


  if ((src_ip != && (client_nat_test
("3"))) {
    if (method == "REGISTER" || ! search("^Record-
Route:")) {
      fix_contact(); # Rewrite contact with source IP 
of signalling

      if (method == "INVITE") {





>Comment By: Daniel-Constantin Mierla (miconda)
Date: 2006-08-10 12:32

Logged In: YES 

It seem to be some data corrupted. The offset to del_lump is
for sure greater than the whole message. Also, the
parameters  to patch() function are null and there is a test
for such values. It might be that the core file was overwritten.

Could this crash be reproduced in an easy way, or is it a
rare event.

On the other hand, mangler is a bit deprecated, you can use
nathelper to change the contact addresses and perform NAT


Comment By: Nobody/Anonymous (nobody)
Date: 2006-08-09 14:37

Logged In: NO 

I have investigated this problem futher. As far as I 
understand the "lump" system, it seems to be more design 
problem - it is not possible to delete lump that was added, 
just one that was originally present. Am I right?


You can respond by visiting: 

More information about the Devel mailing list