[sr-dev] [tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability

sip-router admin at sip-router.org
Fri Nov 25 19:27:55 CET 2011 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#173 - Double Free -- Crash/Coredump and possible security vulnerability
User who did this - Brandon Armstead (CRYY2010)

----------
Daniel,

    I believe the following backtrace I'm going to post is from the "work around" crash.

As for restarting the SIP server --- this is possible but ONLY after a crash - so not sure if somehow the core file was still being generated and kamailio hadn't completely shutdown...

**** BACK TRACE ****

#0  0x00007fd59be0fed5 in raise () from /lib/libc.so.6
#1  0x00007fd59be113f3 in abort () from /lib/libc.so.6
#2  0x0000000000528679 in qm_free (qm=0x7fd584f78000, p=0x7fd585269fe8, file=0x7fd599fd66bb "dialog: dlg_hash.c", func=0x7fd599fd7022 "destroy_dlg", line=215) at mem/q_malloc.c:447
#3  0x00007fd599fbe224 in destroy_dlg (dlg=0x7fd58526c828) at dlg_hash.c:215
#4  0x00007fd599fc069b in unref_dlg (dlg=0x7fd58526c828, cnt=514) at dlg_hash.c:584
#5  0x00007fd599fc5a94 in profile_cleanup (msg=<value optimized out>, flags=<value optimized out>, param=0x6) at dlg_profile.c:317
#6  0x00000000004bc9d1 in exec_post_script_cb (msg=0xe04b18, type=<value optimized out>) at script_cb.c:195
#7  0x000000000049598d in receive_msg (
    buf=0x8a4300 "INVITE sip:RURI at KAMAILIO SIP/2.0\r\nRecord-Route: <sip:KAMAILIO_REGISTRAR;lr=on;ftag=658fa5a34456db0do0>\r\nVia: SIP/2.0/UDP KAMAILIO_REGISTRAR;branch=z9hG4bK8177.1bcb9436.0\r\nVia: SIP/2."..., len=<value optimized out>, rcv_info=0x7fffa4763210) at receive.c:221
#8  0x000000000051c9d1 in udp_rcv_loop () at udp_server.c:532
#9  0x0000000000464b35 in main_loop () at main.c:1560
#10 0x0000000000467fa3 in main (argc=<value optimized out>, argv=0x7fffa47634d8) at main.c:2410
#0  0x00007fd59be0fed5 in raise () from /lib/libc.so.6
No symbol table info available.
#1  0x00007fd59be113f3 in abort () from /lib/libc.so.6
No symbol table info available.
#2  0x0000000000528679 in qm_free (qm=0x7fd584f78000, p=0x7fd585269fe8, file=0x7fd599fd66bb "dialog: dlg_hash.c", func=0x7fd599fd7022 "destroy_dlg", line=215) at mem/q_malloc.c:447
	f = <value optimized out>
	size = <value optimized out>
#3  0x00007fd599fbe224 in destroy_dlg (dlg=0x7fd58526c828) at dlg_hash.c:215
	ret = <value optimized out>
	__FUNCTION__ = "destroy_dlg"
#4  0x00007fd599fc069b in unref_dlg (dlg=0x7fd58526c828, cnt=514) at dlg_hash.c:584
	d_entry = <value optimized out>
#5  0x00007fd599fc5a94 in profile_cleanup (msg=<value optimized out>, flags=<value optimized out>, param=0x6) at dlg_profile.c:317
No locals.
#6  0x00000000004bc9d1 in exec_post_script_cb (msg=0xe04b18, type=<value optimized out>) at script_cb.c:195
	cb = (struct script_cb *) 0xe19c08
	flags = 2147483649
#7  0x000000000049598d in receive_msg (
    buf=0x8a4300 "INVITE sip:RURI at KAMAILIO SIP/2.0\r\nRecord-Route: <sip:KAMAILIO_REGISTRAR;lr=on;ftag=658fa5a34456db0do0>\r\nVia: SIP/2.0/UDP KAMAILIO_REGISTRAR;branch=z9hG4bK8177.1bcb9436.0\r\nVia: SIP/2."..., len=<value optimized out>, rcv_info=0x7fffa4763210) at receive.c:221
	msg = (struct sip_msg *) 0xe04b18
	ctx = {rec_lev = 8, run_flags = 0, last_retcode = 0, jmp_env = {{__jmpbuf = {9420032, 5082547, 140735952597839, 0, 140555419815472, 140555429711872, 8, 4294967295}, __mask_was_saved = 9420904, 
      __saved_mask = {__val = {8357392, 140735952597528, 14699168, 4294967245, 140555429709464, 0, 140555427602890, 1, 0, 140557099728895, 4250091, 140555419815472, 14775720, 14699160, 140555427627026, 16}}}}}
	ret = <value optimized out>
	inb = {
  s = 0x8a4300 "INVITE sip:RURI at KAMAILIO SIP/2.0\r\nRecord-Route: <sip:KAMAILIO_REGISTRAR;lr=on;ftag=658fa5a34456db0do0>\r\nVia: SIP/2.0/UDP KAMAILIO_REGISTRAR;branch=z9hG4bK8177.1bcb9436.0\r\nVia: SIP/2."..., len = 1077}
	__FUNCTION__ = "receive_msg"
#8  0x000000000051c9d1 in udp_rcv_loop () at udp_server.c:532
	len = 1077
	from = (union sockaddr_union *) 0xe04a98
	fromlen = 16
	ri = {src_ip = {af = 2, len = 4, u = {addrl = {2512315459, 8}, addr32 = {2512315459, 0, 8, 0}, addr16 = {58435, 38334, 0, 0, 8, 0, 0, 0}, addr = "C��\225\000\000\000\000\b\000\000\000\000\000\000"}}, 
  dst_ip = {af = 2, len = 4, u = {addrl = {162653251, 0}, addr32 = {162653251, 0, 0, 0}, addr16 = {58435, 2481, 0, 0, 0, 0, 0, 0}, addr = "C��\t", '\0' <repeats 11 times>}}, src_port = 5060, dst_port = 5060, 
  proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 2, sa_data = "\023�C��\225\000\000\000\000\000\000\000"}, sin = {sin_family = 2, sin_port = 50195, sin_addr = {s_addr = 2512315459}, 
      sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 50195, sin6_flowinfo = 2512315459, sin6_addr = {in6_u = {u6_addr8 = '\0' <repeats 15 times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 
            0, 0}, u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, bind_address = 0xe175a8, proto = 1 '\001'}
	buf = "INVITE sip:RURI at KAMAILIO SIP/2.0\r\nRecord-Route: <sip:KAMAILIO_REGISTRAR;lr=on;ftag=658fa5a34456db0do0>\r\nVia: SIP/2.0/UDP KAMAILIO_REGISTRAR;branch=z9hG4bK8177.1bcb9436.0\r\nVia: SIP/2."...
	__FUNCTION__ = "udp_rcv_loop"
#9  0x0000000000464b35 in main_loop () at main.c:1560
	i = 7
	pid = <value optimized out>
	si = (struct socket_info *) 0xe175a8
	si_desc = "udp receiver child=7 sock=KAMAILIO:5060\000\000\000\000\000�o�\000\000\000\000\000\001\000\000\000�\177", '\0' <repeats 18 times>, "t\000\000\000\000\000\000\000\030��\204\001\000\000\000\001\000\000\000\000\000\000\000\003", '\0' <repeats 22 times>
#10 0x0000000000467fa3 in main (argc=<value optimized out>, argv=0x7fffa47634d8) at main.c:2410
	cfg_stream = (FILE *) 0x2316010
	c = <value optimized out>
	r = <value optimized out>
	tmp = 0x7fffa4764f76 ""
	tmp_len = 32725
	port = <value optimized out>
	proto = <value optimized out>
	ret = <value optimized out>
	seed = 427627096
	rfd = 4
	debug_save = <value optimized out>
	debug_flag = 0
	dont_fork_cnt = 0
	n_lst = <value optimized out>
	p = <value optimized out>
----------

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173#comment403

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list