[sr-dev] [tracker] Task opened: Crash in core when freeing shm dup'ed request (Attachment added)

sip-router bugtracker at sip-router.org
Mon Jul 28 15:44:35 CEST 2014 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Hugh Waite (hugh.waite) 

Attached to Project - sip-router
Summary - Crash in core when freeing shm dup'ed request
Task Type - Bug Report
Category - Core
Status - New
Assigned To - 
Operating System - All
Severity - High
Priority - Normal
Reported Version - Development
Due in Version - Undecided
Due Date - Undecided
Details - I have found a crash in core/tm which is easily reproducible. 
An OPTIONS passes through kamailio to another kamailio server which responds with a 403. The response enters a failure route and crashes (due to an abort) when attempting to free the memory in the faked_req structure.

Attached is the backtrace and the relevant section of the DEBUG level output.

It appears from the DEBUG, that a pkg-memory address is stored in the shm_cloned structure, which is invalid when attempting to free from a different process. The allocated address in this core is 0x7fd12559ee28 called from parse_from_header.

This only occurs when the Via branch is 'pre-RFC3261'. In this case the perpetrator is using "branch=foo".

I think the allocation occurs in char_msg_val.h:83 where the from body is parsed to extract the tag (only for pre-3261 requests).
h_table.c:309   build_cell
h_table.c:390   init_synonym_id
h_table.c:274   char_mag_val

The tm module is pretty stable (last relevant change was removing the syn_branch parameter in May 2013) so I would rather have some guidance before making changes.



One or more files have been attached.

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=454

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list