[sr-dev] Crash bug freeing To headers

Alex Balashov abalashov at evaristesys.com
Wed Aug 28 09:01:06 CEST 2013 

Hi Daniel,

With your patch applied (setting param list head to NULL), it now 
crashes in a different place:

Program terminated with signal 11, Segmentation fault.
#0  0x000000000055e602 in free_to_params (tb=0x7f31fee421a0)
     at parser/parse_to.c:827
827			foo = tp->next;
Missing separate debuginfos, use: debuginfo-install 
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 glibc-2.12-1.107.el6.x86_64 
keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-10.el6_4.2.x86_64 
libcom_err-1.41.12-14.el6.x86_64 libselinux-2.0.94-5.3.el6_4.1.x86_64 
nspr-4.9.2-1.el6.x86_64 nss-3.14.0.0-12.el6.x86_64 
nss-softokn-freebl-3.12.9-11.el6.x86_64 nss-util-3.14.0.0-2.el6.x86_64 
openldap-2.4.23-32.el6_4.1.x86_64 openssl-1.0.0-27.el6_4.2.x86_64 
postgresql92-libs-9.2.4-1PGDG.rhel6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) where
#0  0x000000000055e602 in free_to_params (tb=0x7f31fee421a0)
     at parser/parse_to.c:827
#1  0x000000000055e658 in free_to (tb=0x7f31fee421a0) at 
parser/parse_to.c:838
#2  0x000000000053e2a9 in clean_hdr_field (hf=0x7f31fee23bc0)
     at parser/hf.c:113
#3  0x000000000053e51d in free_hdr_field_lst (hf=0x7f31fee20a60)
     at parser/hf.c:223
#4  0x0000000000542d04 in free_sip_msg (msg=0x7f31fee40df0)
     at parser/msg_parser.c:729
#5  0x000000000049e39d in receive_msg (
     buf=0x9065c0 "SIP/2.0 480 Temporarily Unavailable\r\nVia: 
SIP/2.0/UDP 55.177.31.199;branch=z9hG4bKbe3a.dab6345.0\r\nVia: 
SIP/2.0/UDP 
192.13.219.87:5060;branch=z9hG4bK-1a97-521d9f57-331967d3-3174bfdc\r\nRecord-Route: 
<sip"..., len=866,
     rcv_info=0x7fff34138bd0) at receive.c:296
#6  0x000000000052ffa1 in udp_rcv_loop () at udp_server.c:557
#7  0x0000000000467de2 in main_loop () at main.c:1638
#8  0x000000000046ad8b in main (argc=13, argv=0x7fff34138f08) at main.c:2566

-- Alex

On 08/27/2013 08:49 AM, Alex Balashov wrote:

> Hi Daniel,

>
> On 08/27/2013 08:47 AM, Daniel-Constantin Mierla wrote:
>
>> Hello,
>>
>> can you try this patch?
>> -
>> http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=14835f89fc2b761f73a0caad67d229ec3fedba29
>>
>>
>>
>> One reason for such crash could be double-free, which could eventually
>> happen because the pointer to params was not reset after freeing the
>> list.
>
> I will certainly try it, thank you.
>
> However, it is curious that this crash occurs only in this exact
> situation, only when calling this PBX, only when it has two registrants
> to fork among, only when I use this combination of request
> routes/subroutines.
>


-- 
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
United States
Tel: +1-678-954-0670
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/

More information about the sr-dev mailing list