[OpenSER-Devel] [ openser-Bugs-1831333 ] segmentation fault in the permissions module

SourceForge.net noreply at sourceforge.net
Wed Nov 14 22:35:59 UTC 2007


Bugs item #1831333, was opened at 2007-11-13 22:48
Message generated for change (Comment added) made by dan_pascu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1831333&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver devel
Status: Open
Resolution: None
Priority: 7
Private: No
Submitted By: Dan (dan_pascu)
Assigned to: Bogdan-Andrei Iancu (bogdan_iancu)
Summary: segmentation fault in the permissions module

Initial Comment:
Program terminated with signal 11, Segmentation fault.
#0  0xb7c9ac91 in val2str (_c=0x8166b08, _v=0xbfa2a424, _s=0xb7c9db99 "81.23.228.150'", _len=0xbfa29f28) at val.c:221
221                             _s += mysql_real_escape_string(CON_CONNECTION(_c), _s, VAL_STR(_v).s, l);
(gdb) bt
#0  0xb7c9ac91 in val2str (_c=0x8166b08, _v=0xbfa2a424, _s=0xb7c9db99 "81.23.228.150'", _len=0xbfa29f28) at val.c:221
#1  0x080d9a55 in db_print_where (_c=0x8166b08, _b=0xb7c9db91 "src_ip='81.23.228.150'", _l=65487, _k=0xbfa2a450, _o=0x0, _v=0xbfa2a424, _n=1, val2str=0xb7c9aaa0 <val2str>) at db/db_ut.c:294
#2  0xb7c99238 in db_mysql_query (_h=0x8166b08, _k=0xbfa2a450, _op=0x0, _v=0xbfa2a424, _c=0xbfa2a434, _n=1, _nc=3, _o=0x0, _r=0xbfa2a454) at dbase.c:303
#3  0xb77d98ff in allow_trusted (_msg=0x816ac40, str1=0x0, str2=0x0) at trusted.c:447
#4  0x08054b6c in do_action (a=0x815a3a8, msg=0x816ac40) at action.c:816
#5  0x08056bbf in run_action_list (a=0x815a3a8, msg=0x816ac40) at action.c:132
#6  0x0808f0f0 in eval_expr (e=0x815a400, msg=0x816ac40, val=0x0) at route.c:1069
#7  0x0808ea16 in eval_expr (e=0x815a428, msg=0x816ac40, val=0x0) at route.c:1376
#8  0x0808ea3e in eval_expr (e=0x815a450, msg=0x816ac40, val=0x0) at route.c:1381
#9  0x08054632 in do_action (a=0x815a990, msg=0x816ac40) at action.c:672
#10 0x08056bbf in run_action_list (a=0x8159c60, msg=0x816ac40) at action.c:132
#11 0x08056f79 in run_top_route (a=0x8159c60, msg=0x816ac40) at action.c:112
#12 0x08084544 in receive_msg (buf=0x81424a0 "SUBSCRIBE sip:31162714019 at budgetphone.nl SIP/2.0\r\nRecord-Route: <sip:81.23.228.150;lr=on;ftag=36417de23ede0658>\r\nVia: SIP/2.0/UDP 81.23.228.150;branch=z9hG4bK3fe2.61fdb271.0\r\nVia: SIP/2.0/UDP 192.168."..., 
    len=817, rcv_info=0xbfa2ada4) at receive.c:156
#13 0x080b5e37 in udp_rcv_loop () at udp_server.c:440
#14 0x080683e0 in main (argc=13, argv=0xbfa2af34) at main.c:824
(gdb) list
216                             LM_ERR("destination buffer too short\n");
217                             return -8;
218                     } else {
219                             old_s = _s;
220                             *_s++ = '\'';
221                             _s += mysql_real_escape_string(CON_CONNECTION(_c), _s, VAL_STR(_v).s, l);
222                             *_s++ = '\'';
223                             *_s = '\0';
224                             *_len = _s - old_s;
225                             return 0;
(gdb) print _s
$1 = 0xb7c9db99 "81.23.228.150'"
(gdb) print l
$2 = 48
(gdb) print _v
$3 = (db_val_t *) 0xbfa2a424
(gdb) print *_v
$4 = {type = DB_STRING, nul = 0, val = {int_val = -1216475584, double_val = 1.5209769959062048e-314, time_val = -1216475584, string_val = 0xb77e0e40 "81.23.228.150", str_val = {s = 0xb77e0e40 "81.23.228.150", len = 0}, blob_val = {
      s = 0xb77e0e40 "81.23.228.150", len = 0}, bitmap_val = 3078491712}}


----------------------------------------------------------------------

>Comment By: Dan (dan_pascu)
Date: 2007-11-15 00:35

Message:
Logged In: YES 
user_id=1296758
Originator: YES

I do not know why it was in the blob processing section, but I can see
some bits that are wrong in that trace. One (which is also of little
importance in this context but may be in others) is that the len of the
str_val and blob_val is 0 instead of 13. And what is more important (and
which probably caused the signal 11) is that the lenght passed to
mysql_real_escape_string for the from string is 48, which is quite bigger
than 13 (what it should really be). So I wouldn't be surprised if it
exceeded some memory bounds and received segmentation fault.


----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2007-11-14 19:44

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Dan,

The information provided by the core file is not conclusive as some parts
are contradictory...if you are not able to get more similar core file, I'm
afraid I cannot solve it (only based on this info).

Thanks and regards,
Bogdan

----------------------------------------------------------------------

Comment By: Dan (dan_pascu)
Date: 2007-11-14 12:10

Message:
Logged In: YES 
user_id=1296758
Originator: YES

I use rev 3071 dated 2007-11-08 18:48:00 +0100 (Thu, 08 Nov 2007)
I think that is after he reverted the commit.

----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2007-11-14 11:12

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Dan,

That is very strange - gdb (and code) says that the val type is DB_STRING,
but the crash happend for DB_BLOB processing (based on the reported
line)?!

Do you still have the core file, the openser binary and modules? can you
send them to me for inspection?

BTW, last week there were some problems very similar to this due some
chaange made by Henning - be sure you are using the latest SVN version
where the bug was fixed. 

Regards,
bogdan

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1831333&group_id=139143



More information about the Devel mailing list