[sr-dev] [tracker] Comment added: Crash in TCP Read on Kamailio 4.0.1

sip-router bugtracker at sip-router.org
Fri Dec 13 16:27:25 CET 2013 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#364 - Crash in TCP Read on Kamailio 4.0.1
User who did this - Vitaliy Aleksandrov (Vitaliy)

----------
Done. And got a new crash. This time it was SEGFAULT.

<code>
#0  0x00007f45dd9e20a7 in encode_and_send_ws_frame (frame=0x7fffcc74e0a0, conn_close=CONN_CLOSE_DO) at ws_frame.c:297
#1  0x00007f45dd9e281f in close_connection (p_wsc=0x7fffcc74e208, type=REMOTE_CLOSE, status=1000, reason=...) at ws_frame.c:359
#2  0x00007f45dd9e50c8 in handle_close (frame=0x7fffcc74e1e0) at ws_frame.c:584
#3  0x00007f45dd9e5e37 in ws_frame_receive (data=0x7fffcc74e2c0) at ws_frame.c:673
#4  0x0000000000459308 in sr_event_exec (type=10, data=0x7fffcc74e2c0) at events.c:254
#5  0x000000000053c9a2 in ws_process_msg (tcpbuf=0x7f45d44a0628 "\210\202\300*\235\005", <incomplete sequence \351>, len=8, rcv_info=0x7f45d44a0358, con=0x7f45d44a0340) at tcp_read.c:1146
#6  0x000000000053cb68 in receive_tcp_msg (tcpbuf=0x7f45d44a0628 "\210\202\300*\235\005", <incomplete sequence \351>, len=8, rcv_info=0x7f45d44a0358, con=0x7f45d44a0340) at tcp_read.c:1182
#7  0x000000000053dd97 in tcp_read_req (con=0x7f45d44a0340, bytes_read=0x7fffcc74e52c, read_flags=0x7fffcc74e534) at tcp_read.c:1383
#8  0x000000000053f7f4 in handle_io (fm=0x7f45e1539c68, events=1, idx=-1) at tcp_read.c:1617
#9  0x0000000000538006 in io_wait_loop_epoll (h=0x8f4000, t=2, repeat=0) at io_wait.h:1092
#10 0x0000000000540104 in tcp_receive_loop (unix_sock=52) at tcp_read.c:1728
#11 0x0000000000532505 in tcp_init_children () at tcp_main.c:4959
#12 0x0000000000471e09 in main_loop () at main.c:1702
#13 0x0000000000474acd in main (argc=13, argv=0x7fffcc74ea28) at main.c:2533
</code>

<code>
(gdb) frame 1
#1  0x00007f45dd9e281f in close_connection (p_wsc=0x7fffcc74e208, type=REMOTE_CLOSE, status=1000, reason=...) at ws_frame.c:359
359                     if (encode_and_send_ws_frame(&frame,
(gdb) p *p_wsc
$5 = (ws_connection_t *) 0x7f45d459c240
(gdb) p &frame
$8 = (ws_frame_t *) 0x7fffcc74e0a0
</code>

<code>
(gdb) frame 0
#0  0x00007f45dd9e20a7 in encode_and_send_ws_frame (frame=0x7fffcc74e0a0, conn_close=CONN_CLOSE_DO) at ws_frame.c:297
297                     if (frame->wsc->sub_protocol == SUB_PROTOCOL_SIP)
(gdb) p frame
$9 = (ws_frame_t *) 0x7fffcc74e0a0
(gdb) p frame->wsc
$10 = (ws_connection_t *) 0x0
</code>

frame->wsc wasn't NULL at the beginning of the encode_and_send_ws_frame() but somehow it become a NULL at line 297.

Maybe it is possible that a browser sent CLOSE command via websocket connection and then closed a tcp connection  and kamailio got two close events about the same connection (CLOSE msg, and dropped connection) and tried to process them simultaneously (maybe in different tcp workers).


----------

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=364#comment1233

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list