[sr-dev] [tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability

sip-router admin at sip-router.org
Sun Nov 20 23:32:45 CET 2011 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#173 - Double Free -- Crash/Coredump and possible security vulnerability
User who did this - Brandon Armstead (CRYY2010)

----------
Timo,

   To be honest - after the crash occurred I've tried like 10 different builds from the top of the origin/3.1 origin/3.2 branch downwards - trying to see if one of them would not reproduce the crash.  So I can not say without a doubt that this log info is from a 3.1 or a 3.2 branch.

However the crash has happened with latest git 3.1 and 3.2 and several commits downwards from these branches.

*** MOD PARAM ***


# dialog
modparam("dialog", "enable_stats", 1)
modparam("dialog", "dlg_flag", 4)
modparam("dialog", "timeout_avp", "$avp(s:dialog-timeout)")
modparam("dialog", "default_timeout", 3600)
modparam("dialog", "dlg_match_mode", 1)
modparam("dialog", "db_mode", 1)
modparam("dialog", "detect_spirals", 1)


*** SCENARIO ***

The only thing that I am doing in configuration with dialog is three things.

1) I call dlg_manage right before t_relay()

2) I have the following code ABOVE loose_route:


 if(dlg_get("$ci", "$ft", "$tt")){
            xlog("L_INFO", "[$ci] forceful call hangup");
            dlg_bye("all");
 }

3) I am using various dialog pseudo variables through out the config, typically to insert information into the database via avp_db_query.

That is the extent of my dialog scripting.

Here is another interesting .... thought this issue seems specific to the following call scenario:

UAC -> outbound call -> REGISTRAR -> (CORE PROXY / LCR *CRASHING*) -> PSTN

PSTN responds with 503 "Service Unavailable"

CORE / PROXY advance routes -> SECOND PSTN

*CRASH*

Also - another interesting note is that it seems it only happens in this scenario when sending the call to the explicit "SECOND PSTN".

If I trade out SECOND PSTN for THIRD PSTN (an alternate carrier) then the crash does not happen.

I hope this provides some more light on the situation, let me know if I can provide any additional information, thanks!
----------

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173#comment369

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list