[sr-dev] Crash bug freeing To headers

Daniel-Constantin Mierla miconda at gmail.com
Wed Aug 28 09:55:37 CEST 2013 

As expected, a buffer overflow somewhere.

Look in logs for a message like:

BUG: qm_*: prev. fragm. tail overwritten ...

and give also the output of 'bt full'.

Cheers,
Daniel

On 8/28/13 9:47 AM, Alex Balashov wrote:
> On 08/28/2013 03:43 AM, Daniel-Constantin Mierla wrote:
>
>> Hello,
>>
>> one more thing, in frame 0, do:
>>
>> p *prev
>
> In the core dump whose 'bt full' output I put into pastebin, right?
>
> In the case of this crash (with the head/tail message with MEMDBG=1), 
> the backtrace was a bit more conventional:
>
> (gdb) where
> #0  0x0000003dbae328a5 in raise () from /lib64/libc.so.6
> #1  0x0000003dbae34085 in abort () from /lib64/libc.so.6
> #2  0x000000000053c4c1 in qm_debug_frag (qm=0x7f99b6e80010, 
> f=0x7f99b713d008)
>     at mem/q_malloc.c:161
> #3  0x000000000053de76 in qm_free (qm=0x7f99b6e80010, p=0x7f99b713d038,
>     file=0x6165b1 "<core>: parser/parse_to.c", func=0x617e40 "free_to",
>     line=839) at mem/q_malloc.c:462
> #4  0x00000000005657fd in free_to (tb=0x7f99b713d038) at 
> parser/parse_to.c:839
> #5  0x0000000000544ee5 in clean_hdr_field (hf=0x7f99b6eea038)
>     at parser/hf.c:113
> #6  0x000000000054515a in free_hdr_field_lst (hf=0x7f99b6ee94f0)
>     at parser/hf.c:223
> #7  0x00000000005499e5 in free_sip_msg (msg=0x7f99b713b778)
>     at parser/msg_parser.c:729
> #8  0x000000000049f89d in receive_msg (
>     buf=0x910e20 "SIP/2.0 480 Temporarily Unavailable\r\nVia: 
> SIP/2.0/UDP 55.177.31.199;branch=z9hG4bK5d98.917ccf34.0\r\nVia: 
> SIP/2.0/UDP 
> 208.94.157.10:5060;branch=z9hG4bK-2d1a-521da9d0-89ce197-48a5d43\r\nRecord-Route: 
> <sip:"..., len=860,
>     rcv_info=0x7fffd1c69db0) at receive.c:296
> #9  0x0000000000532665 in udp_rcv_loop () at udp_server.c:557
> #10 0x00000000004688a1 in main_loop () at main.c:1638
> #11 0x000000000046b84a in main (argc=13, argv=0x7fffd1c6a0e8) at 
> main.c:2566
>
> I did wander into frame 3 here and printed the dereferenced value of 
> 'prev' as requested:
>
> (gdb) frame 3
> #3  0x000000000053de76 in qm_free (qm=0x7f99b6e80010, p=0x7f99b713d038,
>     file=0x6165b1 "<core>: parser/parse_to.c", func=0x617e40 "free_to",
>     line=839) at mem/q_malloc.c:462
> 462        qm_debug_frag(qm, f);
> (gdb) print *prev
> $1 = {size = 16160473784116415304, u = {nxt_free = 0x48bf7500e07d8348,
>     is_free = 5242037137909318472},
>   file = 0x1c880c748d8458b <Address 0x1c880c748d8458b out of bounds>,
>   func = 0x8348000000000000 <Address 0x8348000000000000 out of bounds>,
>   line = 9892250880904472772, check = 9892183985613198309}
>
> -- Alex
>

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Trainings - Berlin, Oct 21-24; Miami, Nov 11-13, 2013
   - more details about Kamailio trainings at http://www.asipto.com -

More information about the sr-dev mailing list