[sr-dev] Crash bug freeing To headers

Mon Sep 16 10:26:32 CEST 2013

On 9/16/13 10:06 AM, Alex Balashov wrote:
> On 09/16/2013 04:05 AM, Daniel-Constantin Mierla wrote:
>> [...]
>>
>> If you can't corelate with old logs and plan reproduce it, then let me
>> know. I may give some extra instructions to get even more information.
>
> I think reproducing it is easier at this point.  Please let me know 
> what other info you'd like, beyond what you requested in the private 
> e-mail.
>
The issue seems to be a write of data before the allocated pointer or 
more than allocated. From the logs, the chunk before is used for 
$var(...) and the sources doesn't reveal any bug, furthermore, the chunk 
with issue has its beginning ok, thus it is very likely to be a write 
before the pointer. The chuck with issues is from the To header parser, 
also with low chances for issues, because it just contain pointers, so a 
write will be at the addresses pointed from here. The next chunk is from 
db_postgres and might be an issue to write at invalid row index, but I 
couldn't spot where that can happen.

Anyhow, my plan was to replace memcpy, strcpy and strncpy function to 
write in logs the pointers they work with, in order to see what code is 
overwriting the chunk head. (I hope is not a memove or some internal 
copy function)

The procedure is not that complex. Attached is a file crepl.c, copy it 
on the same system and compile it with:

gcc -shared -ldl -fPIC crepl.c -o libcrepl.so

You have to start kamailio from command line, also with log_stderror=yes 
and stderr redirected to a file:

LD_PRELOAD=/path/to/libcrepl.so /path/to/kamailio -f 
/path/to/kamailio.cfg -E -ddd 2>/tmp/kamailio.log

(-f, -E, -ddd are optional, as they can be default value or what is in 
config file). I haven't made the functions to write to syslog, thus you 
have to configure kamailio to write to stderror and save the output in a 
file. Or you change the crepl.c file to write to syslog.

You should see in logs a lot of messages with mem copy operations, 
prefixed with '======...'.

Send me all the logs, full backtrace as well as the other details I 
asked for.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Trainings - Berlin, Oct 21-24; Miami, Nov 11-13, 2013
   - more details about Kamailio trainings at http://www.asipto.com -

-------------- next part --------------
#define _GNU_SOURCE
#include <stdio.h>
#include <stdint.h>
#include <dlfcn.h>

char *strcpy(char *s1, const char *s2)
{
	static char* (*real_strcpy)(char *, const char *) = NULL;
	if(!real_strcpy)
        real_strcpy = dlsym(RTLD_NEXT, "strcpy");
	char *p = real_strcpy(s1, s2);
    fprintf(stderr, "============== strcpy(%p, %p) = %p\n", s1, s2, p);
    return p;
}

char *strncpy(char *s1, const char *s2, size_t n)
{
	static char* (*real_strncpy)(char *, const char *, size_t) = NULL;
	if(!real_strncpy)
        real_strncpy = dlsym(RTLD_NEXT, "strncpy");
	char *p = real_strncpy(s1, s2, n);
    fprintf(stderr, "============== strncpy(%p, %p, %d) = %p\n", s1, s2, (int)n, p);
    return p;
}

void *memcpy(void *s1, const void *s2, size_t n)
{
	static void* (*real_memcpy)(void *, const void *, size_t) = NULL;
	if(!real_memcpy)
        real_memcpy = dlsym(RTLD_NEXT, "memcpy");
	void *p = real_memcpy(s1, s2, n);
    fprintf(stderr, "============== memcpy(%p, %p, %d) = %p\n", s1, s2, (int)n, p);
    return p;
}

#if 0
void* malloc(size_t size)
{
    static void* (*real_malloc)(size_t) = NULL;
    if (!real_malloc)
        real_malloc = dlsym(RTLD_NEXT, "malloc");

    void *p = real_malloc(size);
    fprintf(stderr, "============== malloc(%d) = %p\n", size, p);
    return p;
}
#endif