[sr-dev] git:master: core: Added null pointer check to parser/msg_parser.c: get_hdr_field().

Alex Balashov abalashov at evaristesys.com
Sun Aug 5 14:54:55 CEST 2012 

I wish I could tell what exotic SIP message caused this, bug I am not 
crafty enough with GDB, and a lot of values are optimised out because I 
did not specifically compile with all debugging symbols in.  But here's 
what I've got:

#0  get_hdr_field (buf=0x0, end=0x8d88b1 "", hdr=0x2acdfc282048)
     at parser/msg_parser.c:102
#1  0x00000000005425ff in parse_headers (msg=0x2acdfc275330, flags=64,
     next=<value optimized out>) at parser/msg_parser.c:349
#2  0x00002acdfcc56e2c in pv_get_callid (msg=0x0, param=0x2acdfc27d468,
     res=0x7fff5362ccf0) at pv_core.c:587
#3  0x000000000049082c in pv_get_spec_value (msg=0x2acdfc275330,
     sp=0x2acdfc27d450, value=0x7fff5362ccf0) at pvapi.c:1180
#4  0x0000000000491188 in pv_printf (msg=0x2acdfc275330,
     list=<value optimized out>, buf=<value optimized out>, 
len=0x7fff5362cd78)
     at pvapi.c:1238
#5  0x00002acdfe1974ef in xlog_helper (msg=0x0, xm=0x2acdfc25d2e8, level=2,
     line=0, facility=48) at xlog.c:175
#6  0x00002acdfe1992d2 in xlog_2_helper (msg=0x2acdfc275330,
     lev=<value optimized out>, frm=0x2acdfc25d2e8 "@\324'\374\315*", 
mode=0,
     facility=-1) at xlog.c:244
#7  0x00000000004142d3 in do_action (h=0x7fff5362f2e0, a=0x2acdfc262d88,
     msg=0x2acdfc275330) at action.c:1151
#8  0x000000000041bc7c in run_actions (h=0x7fff5362f2e0, a=0x2acdfc25af40,
     msg=0x2acdfc275330) at action.c:1644
#9  0x00000000004140ec in do_action (h=0x7fff5362f2e0,
     a=<value optimized out>, msg=0x2acdfc275330) at action.c:761
#10 0x000000000041bc7c in run_actions (h=0x7fff5362f2e0, a=0x2acdfc245748,
     msg=0x2acdfc275330) at action.c:1644
#11 0x00000000004140ec in do_action (h=0x7fff5362f2e0,
     a=<value optimized out>, msg=0x2acdfc275330) at action.c:761
#12 0x000000000041bc7c in run_actions (h=0x7fff5362f2e0, a=0x2acdfc232988,
     msg=0x2acdfc275330) at action.c:1644
#13 0x00000000004140ec in do_action (h=0x7fff5362f2e0,
     a=<value optimized out>, msg=0x2acdfc275330) at action.c:761
#14 0x000000000041bc7c in run_actions (h=0x7fff5362f2e0, a=0x2acdfc228b50,
     msg=0x2acdfc275330) at action.c:1644
#15 0x000000000041428f in do_action (h=0x7fff5362f2e0, a=0x2acdfc229b58,
     msg=0x2acdfc275330) at action.c:1140
#16 0x000000000041bc7c in run_actions (h=0x7fff5362f2e0, a=0x2acdfc229b58,
     msg=0x2acdfc275330) at action.c:1644
#17 0x000000000041428f in do_action (h=0x7fff5362f2e0, a=0x2acdfc229c48,
     msg=0x2acdfc275330) at action.c:1140
#18 0x000000000041bc7c in run_actions (h=0x7fff5362f2e0, a=0x2acdfc2275a0,
     msg=0x2acdfc275330) at action.c:1644
#19 0x000000000041428f in do_action (h=0x7fff5362f2e0, a=0x2acdfc22a100,
     msg=0x2acdfc275330) at action.c:1140
#20 0x000000000041bc7c in run_actions (h=0x7fff5362f2e0, a=0x2acdfc21ca50,
     msg=0x2acdfc275330) at action.c:1644
#21 0x000000000041c252 in run_top_route (a=0x2acdfc21ca50, 
msg=0x2acdfc275330,
     c=<value optimized out>) at action.c:1729
#22 0x000000000049eb9e in receive_msg (
     buf=0x8d84e0 "INVITE sip:19378983606 710 at 207.239.33.68:5060 
SIP/2.0\r\nRecord-Route: 
<sip:67.202.68.216;lr=on;ftag=16tymU8a0r00F;vsf=", 'A' <repeats 40 
times>, "OjUwNjA->\r\nVia: SIP/2.0/UDP 74.117.36.132;r"...,
     len=<value optimized out>, rcv_info=0x7fff5362f540) at receive.c:209
#23 0x0000000000531eb5 in udp_rcv_loop () at udp_server.c:544
#24 0x000000000046c094 in main_loop () at main.c:1633
#25 0x000000000046fa49 in main (argc=<value optimized out>,
     argv=<value optimized out>) at main.c:2546

More concretely:

(gdb) set print elements 0
(gdb) frame 22
#22 0x000000000049eb9e in receive_msg (
     buf=0x8d84e0 "INVITE sip:19378983606 710 at 207.239.33.68:5060 
SIP/2.0\r\nRecord-Route: 
<sip:67.202.68.216;lr=on;ftag=16tymU8a0r00F;vsf=", 'A' <repeats 40 
times>, "OjUwNjA->\r\nVia: SIP/2.0/UDP 
74.117.36.132;rport;branch=z9hG4bKS3HNBgF9eZg1B\r\nMax-Forwards: 
32\r\nFrom: <sip:447946638460 at 74.117.36.132>;tag=16tymU8a0r00F\r\nTo: 
<sip:19378983606+710 at 67.202.68.216:5060>\r\nCall-ID: 
c7af1039-5520-1230-c785-0022192283b7\r\nCSeq: 31502447 
INVITE\r\nContact: <sip:447946638460 at 74.117.36.132:5060>\r\nUser-Agent: 
DNL-Switch\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, 
PRACK\r\nSupported: 100rel\r\nContent-Type: 
application/sdp\r\nContent-Length: 351\r\n\r\nv=0\r\no=- 1098630309 1 IN 
IP4 74.117.36.132\r\ns=DNL-SDP\r\nc=IN IP4 74.117.36.132\r\nt=0 
0\r\nm=audio 45872 RTP/AVP 8 18 4 0 101\r\na=rtpmap:8 
PCMA/8000/1\r\na=rtpmap:18 G729/8000/1\r\na=fmtp:18 
annexb=no\r\na=rtpmap:4 G723/8000/1\r\na=fmtp:4 annexa=no\r\na=rtpmap:0 
PCMU/8000/1\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 
0-15\r\na=silenceSupp:off - - - -\r\na=ptime:20\r\n", len=<value 
optimized out>, rcv_info=0x7fff5362f540) at receive.c:209
209			if (run_top_route(main_rt.rlist[DEFAULT_RT], msg, 0)<0)

However, I can't really make heads or tails of this value.  If any GDB 
pros have tips for analysing this buffer?

On 08/05/2012 08:40 AM, Alex Balashov wrote:

> Module: sip-router
> Branch: master
> Commit: 9fc34aad6328a92b7572ae077d9ff4d2699dbb48
> URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=9fc34aad6328a92b7572ae077d9ff4d2699dbb48
>
> Author: Alex Balashov <abalashov at evaristesys.com>
> Committer: Alex Balashov <abalashov at evaristesys.com>
> Date:   Sun Aug  5 08:22:12 2012 -0400
>
> core: Added null pointer check to parser/msg_parser.c:get_hdr_field().
>
> Encountered crash bug in which 'buf' pointer passed to get_hdr_field()
> was null.  There is no null check, so attempts to dereference it lead to
> a crash:
>
> Core was generated by `/usr/local/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -u root -g root -f /r'.
> Program terminated with signal 11, Segmentation fault.
>      at parser/msg_parser.c:102
> 102		if ((*buf)=='\n' || (*buf)=='\r'){
>
> Fixed by adding a check for buf == NULL to top of function.
>
> ---
>
>   parser/msg_parser.c |    5 +++++
>   1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/parser/msg_parser.c b/parser/msg_parser.c
> index 803ee07..b279e47 100644
> --- a/parser/msg_parser.c
> +++ b/parser/msg_parser.c
> @@ -96,6 +96,11 @@ char* get_hdr_field(char* const buf, char* const end, struct hdr_field* const hd
>   	int integer, err;
>   	unsigned uval;
>
> +	if(!buf) {
> +		DBG("null buffer pointer\n");
> +		goto error;
> +	}
> +
>   	if ((*buf)=='\n' || (*buf)=='\r'){
>   		/* double crlf or lflf or crcr */
>   		DBG("found end of header\n");
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>


-- 
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/

More information about the sr-dev mailing list