[sr-dev] [tracker] Task opened: Crash in websocket module

sip-router bugtracker at sip-router.org
Wed Mar 5 11:40:21 CET 2014 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Vitaliy Aleksandrov (Vitaliy) 

Attached to Project - sip-router
Summary - Crash in websocket module
Task Type - Bug Report
Category - Module
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Medium
Priority - Normal
Reported Version - 4.1
Due in Version - Undecided
Due Date - Undecided
Details - Latest kamailio 4.1 has a problem very similar to the one described in the FS#364.

In very rare situation kamailio tries to make double free for wsc structure.

core:
<code>
#0  0x00007f18704da425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f18704ddb8b in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x0000000000557c02 in qm_free (qm=0x7f185e6ae000, p=0x7f185f04d700, file=0x7f1868a6a637 "websocket: ws_conn.c", func=0x7f1868a6aed9 "_wsconn_rm", line=140) at mem/q_malloc.c:470
#3  0x00007f1868a5b139 in _wsconn_rm (wsc=0x7f185f04d700) at ws_conn.c:140
#4  0x00007f1868a5c0e1 in wsconn_rm (wsc=0x7f185f04d700, run_event_route=WSCONN_EVENTROUTE_YES) at ws_conn.c:310
#5  0x00007f1868a5f264 in encode_and_send_ws_frame (frame=0x7ffffdf56160, conn_close=CONN_CLOSE_DONT) at ws_frame.c:303
#6  0x00007f1868a63336 in ws_frame_transmit (data=0x7ffffdf56230) at ws_frame.c:709
#7  0x000000000045933c in sr_event_exec (type=11, data=0x7ffffdf56230) at events.c:260
</code>

logs:
<code>
kamailio[21357]: INFO: <script>: [HTTP] WebSocket connection closed [X.X.X.X:63514]. [X.X.X.X] => [0]
kamailio[21360]: ERROR: websocket [ws_frame.c:294]: encode_and_send_ws_frame(): tcp_send_fail on wsc: 0x7f185f04d700
kamailio[21360]: ERROR: websocket [ws_frame.c:296]: encode_and_send_ws_frame(): sending WebSocket frame
kamailio[21360]: INFO: <script>: [HTTP] WebSocket connection closed [X.X.X.X:63514]. [X.X.X.X] => [-1]
kamailio[21360]: : <core> [mem/q_malloc.c:468]: qm_free(): BUG: qm_free: freeing already freed pointer (0x7f185f04d700), called from websocket: ws_conn.c: _wsconn_rm(140), first free websocket: ws_conn.c: _wsconn_rm(140) - aborting
</code>

As shown above event_route was called twice and a counter for the connection got "-1".

This is a very rare situation and it only happens in the next scenario:
0. User A (connected via websocket) established a conversation with user B (tcp/tls).
TCP worker process 1 handles websocket connection to the A and tcp process 2 handles connection to the B.
1. User A sends BYE to B. Kamailio forwards BYE to B.
2.1. User A closes websocket connection before receiving 200 OK to the BYE request.
2.2. User B replies with 200 OK to the BYE.
3. Kamailio calls ws_frame_transmit() for "200 OK" and ws_frame_received() for "WS CLOSE" in different TCP workers.
They both take wsc pointer by calling wscconn_get() and at the end to processes tries to call ws_conn_rm() for
the same WSC connection which leads to double shm_free().

At now i'm trying to add reference counts to wsc in the same way they work in tcp_connection structure.
Maybe somebody has a better idea how to fix this ?

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=406

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list