[sr-dev] [tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability

sip-router admin at sip-router.org
Sun Nov 20 11:57:27 CET 2011 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#173 - Double Free -- Crash/Coredump and possible security vulnerability
User who did this - Timo Reimann (tr)

----------
Brandon,

I took a closer look at the information you gave: The problem seems to be related to reference counting (again).

I can see that the reference counter is decremented one time too often after the BYE message is received. In your scenario, things look like this:

Nov 17 09:40:04 kamailio /usr/local/sbin/kamailio[21598]: INFO: dialog [dlg_handlers.c:1132]: BYE successfully processed
Nov 17 09:40:04 kamailio /usr/local/sbin/kamailio[21598]: INFO: dialog [dlg_hash.c:597]: unref dlg 0x7f12fbd186c8 with 2 -> 2
Nov 17 09:40:04 kamailio /usr/local/sbin/kamailio[21598]: INFO: dialog [dlg_hash.c:579]: ref dlg 0x7f12fbd186c8 with 1 -> 3
Nov 17 09:40:04 kamailio /usr/local/sbin/kamailio[21598]: INFO: dialog [dlg_hash.c:597]: unref dlg 0x7f12fbd186c8 with 2 -> 1

In a reference call I did on my machine, you can see that the last unref operation is one less:

 0(43729) NOTICE: dialog [dlg_handlers.c:1132]: BYE successfully processed
 0(43729) NOTICE: dialog [dlg_hash.c:597]: unref dlg 0x101bb2080 with 2 -> 2
 0(43729) NOTICE: dialog [dlg_hash.c:579]: ref dlg 0x101bb2080 with 1 -> 3
 0(43729) NOTICE: dialog [dlg_hash.c:597]: unref dlg 0x101bb2080 with 1 -> 2

This leads to the situation where the dialog is erroneously removed prematurely. When the "canonical" dialog termination occurs later, removal is conducted for a second time, leading to a double free.

So the question is: What is happening in your scenario? Are you using any dialog module-related functions or touch the dialog in any way within the configuration script during processing of the BYE request? If so, which one(s)?

Also, could you please post your dialog modparams?

I assume you're using a latest build of 3.2 (that is, not the official release but a recent compiled build from the 3.2 branch). Is that correct?
----------

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173#comment368

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list