[sr-dev] Crash bug freeing To headers

Alex Balashov abalashov at evaristesys.com
Thu Sep 5 12:33:16 CEST 2013 

To note (from 'bt full'):

#0  0x0000000000435908 in free_lump_list (l=0x7f4f81626730) at 
data_lump.c:510
         t = 0x0
         r = 0x3731396430392d64
         foo = 0x3731396430392d64
         crt = 0x7f4f81626730

And nothing seems to be out of bounds or unaddressable here:

(gdb) bt full
#0  0x0000000000435908 in free_lump_list (l=0x7f4f81626730) at 
data_lump.c:510
         t = 0x0
         r = 0x3731396430392d64
         foo = 0x3731396430392d64
         crt = 0x7f4f81626730
#1  0x0000000000542d6a in free_sip_msg (msg=0x7f4f8180e970)
     at parser/msg_parser.c:731
No locals.
#2  0x000000000049e39d in receive_msg (
     buf=0x9065c0 "SIP/2.0 404 Not Found\r\nVia: SIP/2.0/UDP 
55.177.31.199;branch=z9hG4bK022f.7350a5c7.0\r\nVia: SIP/2.0/UDP 
68.68.120.41:5060;branch=z9hG4bK0cBc7d5138cbe6ccf3f\r\nRecord-Route: 
<sip:55.177.31.199;lr=on;ftag=g"..., len=717,
     rcv_info=0x7fff96469750) at receive.c:296
         msg = 0x7f4f8180e970
         ctx = {rec_lev = 8750200, run_flags = 0, last_retcode = 0, 
jmp_env = {{
               __jmpbuf = {0, 0, 0, 265124110288, 1, 0, 167503724545, 
9463168},
               __mask_was_saved = -1773758632, __saved_mask = {__val = {1,
                   12884901901, 139979451761824, 4277328, 140735714597504,
                   140735714596560, 5426752, 140735714596544, 5423489, 
50195,
                   169583417968, 9463168, 140735714596688, 80, 5423617,
                   4277328}}}}}
         ret = 32591
         inb = {
           s = 0x9065c0 "SIP/2.0 404 Not Found\r\nVia: SIP/2.0/UDP 
55.177.31.199;branch=z9hG4bK022f.7350a5c7.0\r\nVia: SIP/2.0/UDP 
68.68.120.41:5060;branch=z9hG4bK0cBc7d5138cbe6ccf3f\r\nRecord-Route: 
<sip:55.177.31.199;lr=on;ftag=g"...,
           len = 717}
         __FUNCTION__ = "receive_msg"
#3  0x000000000052ffa1 in udp_rcv_loop () at udp_server.c:557
         len = 717
         buf = "SIP/2.0 404 Not Found\r\nVia: SIP/2.0/UDP 
55.177.31.199;branch=z9hG4bK022f.7350a5c7.0\r\nVia: SIP/2.0/UDP 
68.68.120.41:5060;branch=z9hG4bK0cBc7d5---Type <return> to continue, or 
q <return> to quit---
138cbe6ccf3f\r\nRecord-Route: <sip:55.177.31.199;lr=on;ftag=g"...
         tmp = 0x906580 "96.237.173.61"
         from = 0x7f4f817e8510
         fromlen = 16
         ri = {src_ip = {af = 2, len = 4, u = {addrl = {2045424312,
                 139979451761824}, addr32 = {2045424312, 0, 2172617888, 
32591},
               addr16 = {45752, 31210, 0, 0, 33952, 33151, 32591, 0},
               addr = 
"\270\262\352y\000\000\000\000\240\204\177\201O\177\000"}}, dst_ip = {af 
= 2, len = 4, u = {addrl = {3257728577, 0}, addr32 = {
                 3257728577, 0, 0, 0}, addr16 = {65089, 49708, 0, 0, 0, 
0, 0,
                 0}, addr = "A\376,\302", '\000' <repeats 11 times>}},
           src_port = 5060, dst_port = 5060, proto_reserved1 = 0,
           proto_reserved2 = 0, src_su = {s = {sa_family = 2,
               sa_data = "\023ĸ\262\352y\000\000\000\000\000\000\000"}, 
sin = {
               sin_family = 2, sin_port = 50195, sin_addr = {
                 s_addr = 2045424312},
               sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {
               sin6_family = 2, sin6_port = 50195, sin6_flowinfo = 
2045424312,
               sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 
times>,
                   __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = 
{0, 0,
                     0, 0}}}, sin6_scope_id = 0}},
           bind_address = 0x7f4f817f8370, proto = 1 '\001'}
         __FUNCTION__ = "udp_rcv_loop"
#4  0x0000000000467de2 in main_loop () at main.c:1638
         i = 4
         pid = 0
         si = 0x7f4f817f8370
         si_desc = "udp receiver child=4 
sock=55.177.31.199:5060\000\177\000\000(\335~\201O\177\000\000\270\334\302*\000\000\000\000\220\230F\226\377\177\000\000\270\334\302*\000\000\000\000PDA\000\000\000\000\000\200\232F\226\377\177", 
'\000' <repeats 18 times>"\300, 
\230F\226\377\177\000\000\337\"K\000\000\000\000"
         nrprocs = 8
---Type <return> to continue, or q <return> to quit---
         __FUNCTION__ = "main_loop"
#5  0x000000000046ad8b in main (argc=13, argv=0x7fff96469a88) at main.c:2566
         cfg_stream = 0x1b10010
         c = -1
         r = 0
         tmp = 0x7fff9646b414 ""
         tmp_len = 0
         port = 0
         proto = 0
         options = 0x5c86f8 
":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:"
         ret = -1
         seed = 4063171243
         rfd = 4
         debug_save = 0
         debug_flag = 0
         dont_fork_cnt = 0
         n_lst = 0x3dbae0fb88
         p = 0x5b3450 "H\211l$\330L\211d$\340H\215-\237K*"
         __FUNCTION__ = "main"

-- Alex

-- 
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
United States
Tel: +1-678-954-0670
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/

More information about the sr-dev mailing list