[sr-dev] [tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability

sip-router admin at sip-router.org
Wed Nov 9 01:40:25 CET 2011 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#173 - Double Free -- Crash/Coredump and possible security vulnerability
User who did this - Bayan Towfiq (btowfiq)

----------
I set dlg_match_mode to 1 and it is still crashing the same way.  One other thing I noticed is that I am getting two separate coredumps from two processes.  After the first coredump (same as above), there is a second coredump about 1 minute later, before all the processes end.  Here is the short and long backtrace for the second coredump from the other process 1 min after the first crash:


(gdb) bt
#0  0x00007f1cb918ea75 in raise () from /lib/libc.so.6
#1  0x00007f1cb91925c0 in abort () from /lib/libc.so.6
#2  0x000000000045ff41 in sig_alarm_abort (signo=<value optimized out>) at main.c:661
#3  <signal handler called>
#4  0x00007f1cb923d877 in syscall () from /lib/libc.so.6
#5  0x00007f1cb1ae5f05 in futex_get (ticks=<value optimized out>, param=<value optimized out>) at ../../mem/../futexlock.h:123
#6  dialog_update_db (ticks=<value optimized out>, param=<value optimized out>) at dlg_db_handler.c:828
#7  0x00007f1cb1adbd21 in mod_destroy () at dialog.c:692
#8  0x00000000004e23f4 in destroy_modules () at sr_module.c:782
#9  0x000000000046154f in cleanup (show_status=1) at main.c:536
#10 0x00000000004621bb in shutdown_children (show_status=1, sig=<value optimized out>) at main.c:678
#11 0x00000000004631d2 in handle_sigs () at main.c:769
#12 0x000000000046436e in main_loop () at main.c:1713
#13 0x0000000000465dd2 in main (argc=11, argv=0x7fffc752dbc8) at main.c:2475


(gdb) bt
#0  0x00007f1cb918ea75 in raise () from /lib/libc.so.6
#1  0x00007f1cb91925c0 in abort () from /lib/libc.so.6
#2  0x000000000045ff41 in sig_alarm_abort (signo=<value optimized out>) at main.c:661
#3  <signal handler called>
#4  0x00007f1cb923d877 in syscall () from /lib/libc.so.6
#5  0x00007f1cb1ae5f05 in futex_get (ticks=<value optimized out>, param=<value optimized out>) at ../../mem/../futexlock.h:123
#6  dialog_update_db (ticks=<value optimized out>, param=<value optimized out>) at dlg_db_handler.c:828
#7  0x00007f1cb1adbd21 in mod_destroy () at dialog.c:692
#8  0x00000000004e23f4 in destroy_modules () at sr_module.c:782
#9  0x000000000046154f in cleanup (show_status=1) at main.c:536
#10 0x00000000004621bb in shutdown_children (show_status=1, sig=<value optimized out>) at main.c:678
#11 0x00000000004631d2 in handle_sigs () at main.c:769
#12 0x000000000046436e in main_loop () at main.c:1713
#13 0x0000000000465dd2 in main (argc=11, argv=0x7fffc752dbc8) at main.c:2475
(gdb) bt full
#0  0x00007f1cb918ea75 in raise () from /lib/libc.so.6
No symbol table info available.
#1  0x00007f1cb91925c0 in abort () from /lib/libc.so.6
No symbol table info available.
#2  0x000000000045ff41 in sig_alarm_abort (signo=<value optimized out>) at main.c:661
No locals.
#3  <signal handler called>
No symbol table info available.
#4  0x00007f1cb923d877 in syscall () from /lib/libc.so.6
No symbol table info available.
#5  0x00007f1cb1ae5f05 in futex_get (ticks=<value optimized out>, param=<value optimized out>) at ../../mem/../futexlock.h:123
        v = <value optimized out>
#6  dialog_update_db (ticks=<value optimized out>, param=<value optimized out>) at dlg_db_handler.c:828
        index = <value optimized out>
        cell = <value optimized out>
#7  0x00007f1cb1adbd21 in mod_destroy () at dialog.c:692
No locals.
#8  0x00000000004e23f4 in destroy_modules () at sr_module.c:782
        t = 0x7f1cb8da6578
        foo = 0x7f1cb8da6108
        __FUNCTION__ = "destroy_modules"
#9  0x000000000046154f in cleanup (show_status=1) at main.c:536
        memlog = <value optimized out>
        __FUNCTION__ = "cleanup"
#10 0x00000000004621bb in shutdown_children (show_status=1, sig=<value optimized out>) at main.c:678
No locals.
#11 0x00000000004631d2 in handle_sigs () at main.c:769
        chld = 0
        chld_status = 134
        memlog = <value optimized out>
#12 0x000000000046436e in main_loop () at main.c:1713
        i = 8
        pid = <value optimized out>
        si = 0x0
        si_desc = "udp receiver child=7 sock=70.167.153.130:5160\000\000\000\000\000@\020", '\000' <repeats 12 times>, "\016\b\000\000\000\000\000\000\000h\244 at N\225\342\362&\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\300\v\215\000\000\000\000\000\"\000\000\000\000\000\000\000\000\000@\020", '\000' <repeats 11 times>
#13 0x0000000000465dd2 in main (argc=11, argv=0x7fffc752dbc8) at main.c:2475
        cfg_stream = <value optimized out>
        c = <value optimized out>
        r = <value optimized out>
        tmp = 0x7fffc752ee83 ""
        tmp_len = 0
        port = <value optimized out>
        proto = <value optimized out>
        ret = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        seed = 48325081
        rfd = <value optimized out>
        debug_save = 272629760
        debug_flag = 34
        dont_fork_cnt = 0
        n_lst = 0x10400000
        p = <value optimized out>

----------

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173#comment342

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list