[sr-dev] [tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability

sip-router admin at sip-router.org
Sun Nov 20 09:11:09 CET 2011


THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#173 - Double Free -- Crash/Coredump and possible security vulnerability
User who did this - Brandon Armstead (CRYY2010)

----------
**** SEPARATE CRASH **** (full backtrace)

#0  0x00007f1eb16fbed5 in raise () from /lib/libc.so.6
#1  0x00007f1eb16fd3f3 in abort () from /lib/libc.so.6
#2  0x0000000000528739 in qm_free (qm=0x7f1e9a864000, p=0x7f1e9c2b28a0, file=0x7f1eaf8c26bb "dialog: dlg_hash.c", func=0x7f1eaf8c3022 "destroy_dlg", line=215) at mem/q_malloc.c:447
#3  0x00007f1eaf8aa224 in destroy_dlg (dlg=0x7f1e9cae87f8) at dlg_hash.c:215
#4  0x00007f1eaf8ac69b in unref_dlg (dlg=0x7f1e9cae87f8, cnt=518) at dlg_hash.c:584
#5  0x00007f1eaf8b1a94 in profile_cleanup (msg=<value optimized out>, flags=<value optimized out>, param=0x6) at dlg_profile.c:317
#6  0x00000000004bca91 in exec_post_script_cb (msg=0xaa93c8, type=<value optimized out>) at script_cb.c:195
#7  0x0000000000495a4d in receive_msg (
    buf=0x8a4300 "ACK sip:URI at IP:5060;user=phone;transport=udp SIP/2.0\r\nRecord-Route: <sip:PROXY:5078;lr=on;ftag=7a0b74aea87281deo0>\r\nVia: SIP/2.0/UDP PROXY:5078;branch=z9hG4bK-4ab37cdb"..., len=<value optimized out>, rcv_info=0x7fffba04e9a0) at receive.c:221
#8  0x000000000051ca91 in udp_rcv_loop () at udp_server.c:532
#9  0x0000000000464bf5 in main_loop () at main.c:1560
#10 0x0000000000468063 in main (argc=<value optimized out>, argv=0x7fffba04ec68) at main.c:2410
#0  0x00007f1eb16fbed5 in raise () from /lib/libc.so.6
No symbol table info available.
#1  0x00007f1eb16fd3f3 in abort () from /lib/libc.so.6
No symbol table info available.
#2  0x0000000000528739 in qm_free (qm=0x7f1e9a864000, p=0x7f1e9c2b28a0, file=0x7f1eaf8c26bb "dialog: dlg_hash.c", func=0x7f1eaf8c3022 "destroy_dlg", line=215) at mem/q_malloc.c:447
	f = <value optimized out>
	size = <value optimized out>
#3  0x00007f1eaf8aa224 in destroy_dlg (dlg=0x7f1e9cae87f8) at dlg_hash.c:215
	ret = <value optimized out>
	__FUNCTION__ = "destroy_dlg"
#4  0x00007f1eaf8ac69b in unref_dlg (dlg=0x7f1e9cae87f8, cnt=518) at dlg_hash.c:584
	d_entry = <value optimized out>
#5  0x00007f1eaf8b1a94 in profile_cleanup (msg=<value optimized out>, flags=<value optimized out>, param=0x6) at dlg_profile.c:317
No locals.
#6  0x00000000004bca91 in exec_post_script_cb (msg=0xaa93c8, type=<value optimized out>) at script_cb.c:195
	cb = (struct script_cb *) 0xe0e410
	flags = 2147483649
#7  0x0000000000495a4d in receive_msg (
    buf=0x8a4300 "ACK sip:URI at IP:5060;user=phone;transport=udp SIP/2.0\r\nRecord-Route: <sip:PROXY:5078;lr=on;ftag=7a0b74aea87281deo0>\r\nVia: SIP/2.0/UDP PROXY:5078;branch=z9hG4bK-4ab37cdb"..., len=<value optimized out>, rcv_info=0x7fffba04e9a0) at receive.c:221
	msg = (struct sip_msg *) 0xaa93c8
	ctx = {rec_lev = 6, run_flags = 0, last_retcode = 0, jmp_env = {{__jmpbuf = {9420032, 5082739, 140736314272479, 0, 139769802477104, 139769812373504, 6, 4294967295}, __mask_was_saved = 9420904, 
      __saved_mask = {__val = {8357392, 140736314272168, 14652072, 4294967245, 139769812371096, 0, 139769810264522, 1, 0, 139771120713727, 4250091, 139769802477104, 14728624, 14652064, 139769810288658, 16}}}}}
	ret = <value optimized out>
	inb = {
  s = 0x8a4300 "ACK sip:URI at IP:5060;user=phone;transport=udp SIP/2.0\r\nRecord-Route: <sip:PROXY:5078;lr=on;ftag=7a0b74aea87281deo0>\r\nVia: SIP/2.0/UDP PROXY:5078;branch=z9hG4bK-4ab37cdb"..., len = 729}
	__FUNCTION__ = "receive_msg"
#8  0x000000000051ca91 in udp_rcv_loop () at udp_server.c:532
	len = 729
	from = (union sockaddr_union *) 0xdf92a0
	fromlen = 16
	ri = {src_ip = {af = 2, len = 4, u = {addrl = {2083402568, 6}, addr32 = {2083402568, 0, 6, 0}, addr16 = {13128, 31790, 0, 0, 6, 0, 0, 0}, addr = "H3.|\000\000\000\000\006\000\000\000\000\000\000"}}, 
  dst_ip = {af = 2, len = 4, u = {addrl = {162653251, 0}, addr32 = {162653251, 0, 0, 0}, addr16 = {58435, 2481, 0, 0, 0, 0, 0, 0}, addr = "Cä±\t", '\0' <repeats 11 times>}}, src_port = 5078, dst_port = 5060, 
  proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 2, sa_data = "\023ÖH3.|\000\000\000\000\000\000\000"}, sin = {sin_family = 2, sin_port = 54803, sin_addr = {s_addr = 2083402568}, 
      sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 54803, sin6_flowinfo = 2083402568, sin6_addr = {in6_u = {u6_addr8 = '\0' <repeats 15 times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 
            0, 0}, u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, bind_address = 0xe0bdb0, proto = 1 '\001'}
	buf = "ACK sip:URI at IP:5060;user=phone;transport=udp SIP/2.0\r\nRecord-Route: <sip:PROXY:5078;lr=on;ftag=7a0b74aea87281deo0>\r\nVia: SIP/2.0/UDP PROXY:5078;branch=z9hG4bK-4ab37cdb"...
	__FUNCTION__ = "udp_rcv_loop"
#9  0x0000000000464bf5 in main_loop () at main.c:1560
	i = 5
	pid = <value optimized out>
	si = (struct socket_info *) 0xe0bdb0
	si_desc = "udp receiver child=5 sock=67.228.177.9:5060\000\000\000\000\000°·à\000\000\000\000\000\001\000\000\000\036\177", '\0' <repeats 18 times>, "t\000\000\000\000\000\000\000\030\225\211\232\001\000\000\000\001\000\000\000\000\000\000\000\003", '\0' <repeats 22 times>
#10 0x0000000000468063 in main (argc=<value optimized out>, argv=0x7fffba04ec68) at main.c:2410
	cfg_stream = (FILE *) 0x1a00010
	c = <value optimized out>
	r = <value optimized out>
	tmp = 0x7fffba050e5f ""
Quit
----------

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173#comment366

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.



More information about the sr-dev mailing list