[sr-dev] [tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability
sip-router
admin at sip-router.org
Fri Nov 25 14:58:20 CET 2011
THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#173 - Double Free -- Crash/Coredump and possible security vulnerability
User who did this - Brandon Armstead (CRYY2010)
----------
Dialog New Ref *** CRASH ***
[New process 22271]
#0 0x00007f6d164e8ad2 in dlg_lookup (h_entry=2849, h_id=1192025086) at dlg_hash.c:442
442 if (h_entry>=d_table->size)
(gdb) bt
#0 0x00007f6d164e8ad2 in dlg_lookup (h_entry=2849, h_id=1192025086) at dlg_hash.c:442
#1 0x00007f6d164e0725 in unref_dlg_from_cb (t=<value optimized out>, type=1192025086, param=0x7fff21c7a460) at dlg_handlers.c:964
#2 0x00007f6d1673db19 in run_trans_callbacks_internal (cb_lst=0x7f6d017c9b20, type=32768, trans=0x7f6d017c9ab0, params=0x7fff21c7a460) at t_hooks.c:290
#3 0x00007f6d1673dd86 in run_trans_callbacks (type=32768, trans=<value optimized out>, req=0x0, rpl=0x7f6d1670cc68, code=0) at t_hooks.c:317
#4 0x00007f6d167238c6 in free_cell (dead_cell=0x7f6d017c9ab0) at h_table.c:152
#5 0x00007f6d16723af0 in free_hash_table () at h_table.c:443
#6 0x00007f6d16734875 in tm_shutdown () at t_funcs.c:126
#7 0x00000000004e068f in destroy_modules () at sr_module.c:783
#8 0x00000000004655d0 in cleanup (show_status=1) at main.c:564
#9 0x00000000004662a4 in shutdown_children (sig=<value optimized out>, show_status=1) at main.c:706
#10 0x0000000000466c7b in handle_sigs () at main.c:797
#11 0x0000000000467bb6 in main_loop () at main.c:1741
#12 0x000000000046b22c in main (argc=<value optimized out>, argv=0x7fff21c7a888) at main.c:2508
(gdb) bt full
#0 0x00007f6d164e8ad2 in dlg_lookup (h_entry=2849, h_id=1192025086) at dlg_hash.c:442
dlg = <value optimized out>
d_entry = <value optimized out>
#1 0x00007f6d164e0725 in unref_dlg_from_cb (t=<value optimized out>, type=1192025086, param=0x7fff21c7a460) at dlg_handlers.c:964
dlg = <value optimized out>
iuid = (dlg_iuid_t *) 0xb21
#2 0x00007f6d1673db19 in run_trans_callbacks_internal (cb_lst=0x7f6d017c9b20, type=32768, trans=0x7f6d017c9ab0, params=0x7fff21c7a460) at t_hooks.c:290
cbp = (struct tm_callback *) 0x7f6d018fe5e8
backup_from = (avp_list_t *) 0x8d0310
backup_to = (avp_list_t *) 0x8d0318
backup_dom_from = (avp_list_t *) 0x8d0320
backup_dom_to = (avp_list_t *) 0x8d0328
backup_uri_from = (avp_list_t *) 0x8d0300
backup_uri_to = (avp_list_t *) 0x8d0308
backup_xavps = (sr_xavp_t **) 0x8d0410
#3 0x00007f6d1673dd86 in run_trans_callbacks (type=32768, trans=<value optimized out>, req=0x0, rpl=0x7f6d1670cc68, code=0) at t_hooks.c:317
params = {req = 0x0, rpl = 0x0, param = 0x7f6d018fe5f8, code = 0, flags = 0, branch = 0, t_rbuf = 0x0, dst = 0x0, send_buf = {s = 0x0, len = 0}}
#4 0x00007f6d167238c6 in free_cell (dead_cell=0x7f6d017c9ab0) at h_table.c:152
b = <value optimized out>
i = <value optimized out>
rpl = <value optimized out>
tt = <value optimized out>
foo = <value optimized out>
cbs = <value optimized out>
__FUNCTION__ = "free_cell"
#5 0x00007f6d16723af0 in free_hash_table () at h_table.c:443
p_cell = (struct cell *) 0xb21
tmp_cell = (struct cell *) 0x7f6d0164cd18
__FUNCTION__ = "free_hash_table"
#6 0x00007f6d16734875 in tm_shutdown () at t_funcs.c:126
No locals.
#7 0x00000000004e068f in destroy_modules () at sr_module.c:783
t = <value optimized out>
foo = (struct sr_module *) 0x7f6d1832f810
__FUNCTION__ = "destroy_modules"
#8 0x00000000004655d0 in cleanup (show_status=1) at main.c:564
memlog = <value optimized out>
__FUNCTION__ = "cleanup"
#9 0x00000000004662a4 in shutdown_children (sig=<value optimized out>, show_status=1) at main.c:706
No locals.
#10 0x0000000000466c7b in handle_sigs () at main.c:797
chld = 0
chld_status = 139
memlog = <value optimized out>
#11 0x0000000000467bb6 in main_loop () at main.c:1741
i = 8
pid = <value optimized out>
si = (struct socket_info *) 0x0
si_desc = "udp receiver child=7 sock=67.228.177.9:5060\000\000\000\000\000`+\205\030m\177\000\000\001\000\000\000m\177\000\000\016\b", '\0' <repeats 22 times>, "\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\003\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\b\000\000\000\000\000\000"
#12 0x000000000046b22c in main (argc=<value optimized out>, argv=0x7fff21c7a888) at main.c:2508
---Type <return> to continue, or q <return> to quit---q
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173#comment399
You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.
More information about the sr-dev
mailing list