[sr-dev] [tracker] Task opened: SCA Crashes on sca_appearance_unregister ()

sip-router bugtracker at sip-router.org
Tue Nov 12 03:12:47 CET 2013 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Robert Boisvert (rdboisvert) 

Attached to Project - sip-router
Summary - SCA Crashes on sca_appearance_unregister ()
Task Type - Bug Report
Category - Module
Status - Unconfirmed
Assigned To - 
Operating System - Linux
Severity - Medium
Priority - Normal
Reported Version - 4.0
Due in Version - Undecided
Due Date - Undecided
Details - SCA module is crashing randomly on 4.0.4.  It has crashed several times with a backtrace that shows these stack calls:

 (gdb) backtrace
 #0 0x00000000 in ?? ()
 #1 0x4dceca11 in sca_hash_table_slot_kv_delete_unsafe () from /usr/lib/kamailio/modules/sca.so
 #2 0x4dcecaaa in sca_hash_table_slot_kv_delete () from /usr/lib/kamailio/modules/sca.so
 #3 0x4dcecb1e in sca_hash_table_index_kv_delete () from /usr/lib/kamailio/modules/sca.so
 #4 0x4dcecb99 in sca_hash_table_kv_delete () from /usr/lib/kamailio/modules/sca.so
 #5 0x4dcf30bc in sca_appearance_unregister () from /usr/lib/kamailio/modules/sca.so
 #6 0x4dd0d9b9 in sca_call_info_update () from /usr/lib/kamailio/modules/sca.so
 #7 0x126a6a9a in do_action ()
 #8 0x126af88e in run_actions ()
 #9 0x126a4731 in do_action ()
 #10 0x126af88e in run_actions ()
 #11 0x126b007f in run_top_route ()
 #12 0x1269dd7e in receive_msg ()
 #13 0x12734f01 in udp_rcv_loop ()
 #14 0x126d3f56 in main_loop ()
 #15 0x126d76de in main ()

The message that seemed to trigger the crash in this particular case was the following INVITE:

INVITE sip:35705 at 10.250.16.71;user=phone SIP/2.0
Record-Route: <sip:10.250.16.70;lr=on;ftag=D8B14B68-93D21A25;did=513b.a3741> 
Via: SIP/2.0/UDP 10.250.16.70;branch=z9hG4bKc43b.14d180e6.0 
Via: SIP/2.0/UDP 10.250.88.116;branch=z9hG4bK8d3ec33e632D8AB3 
From: PIN-1 WKL USA <sip:15862 at obscured>;tag=D8B14B68-93D21A25 
To: <sip:0 at obscured;user=phone> 
CSeq: 1 INVITE 
Call-ID:c69594c-ff17a5d9-d6ed4f6a at 10.250.88.116 
Contact: <sip:15862 at 10.250.88.116> 
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER 
User-Agent: PolycomSoundPointIP-SPIP_335-UA/4.0.3.7562 
Accept-Language: en 
Supported: 100rel,replaces 
Allow-Events: conference,talk,hold 
Max-Forwards: 32 
Content-Type: application/sdp 
Content-Length: 296 

v=0
o=- 1383792680 1383792680 IN IP4 10.250.88.116
 s=Polycom IP Phone
c=IN IP4 10.250.88.116
t=0 0
a=sendrecv
m=audio 2230 RTP/AVP 9 18 0 8 101
a=rtpmap:9 G722/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
 
I have a pcap trace that shows all the calls from 3 hours prior and this is the first time this device appeared.

I followed the code down to the sca_hash_table_slot_kv_delete_unsafe () routine and it appears to have crashed when it tried to use e->free_entry which seems to have been NULL at that point.  I'm not sure how it could be NULL since it should have been initialized in sca_hash_table_slot_kv_insert_unsafe ().  I'm guessing that either e->free_entry was never initialized or somehow it was overwritten.  Since several backtraces end in the same way the bug seems to have be specific to some sequence of events I have not been able to identify.

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=366

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list