[sr-dev] Kamailio crash on CANCEL/487

Daniel-Constantin Mierla miconda at gmail.com
Wed Aug 26 20:31:10 CEST 2015 

Hello,

I did analyze it a bit, but it is a rather strange situation, like
trying to allocate an already allocated chunk, which cannot really
happen due to a race in this case, being work with private memory (pkg).

Another option would be a memory overwrite, like a memcpy writing 0 over
the header of the chunk, but the fields that are 0 are in the middle of
the header structure, the other fields around (before and after) are not
0 and seem to have valid values.

So I couldn't get to a proper conclusion at that time. I will go through
it again during the next days. One option was to catch this situation
and don't crash, but throw an error.

Of course, extreme reasons would be corrupted (physical) memory or core
file, but all seems ok at least for the last option here.

Cheers,
Daniel

On 26/08/15 19:28, Alex Balashov wrote:
> Hi Daniel,
>
> Have you had a chance to look into this? If not, no worries at all, I
> am just afraid maybe I missed a follow-up or a patch.
>
> On 08/22/2015 11:49 AM, Alex Balashov wrote:
>
>> Daniel,
>>
>> On 08/22/2015 03:55 AM, Daniel-Constantin Mierla wrote:
>>
>>> can you give the content for qm and frag in frame 0:
>>>
>>> p *qm
>>> p *frag
>>
>> Of course, and thank you for looking into it!
>>
>> 1) *qm
>>
>> (gdb) print *qm
>> $3 = {type = 1, size = 8388608, used = 2332928, real_used = 2817136,
>> max_real_used = 2833136, ffrags = 262, first_frag = 0x7ff1ac559488,
>> last_frag = 0x7ff1acd50fd8, free_bitmap = {282033345460158,
>> 18014398510072385, 586595500732448793, 0 <repeats 29 times>,
>> 1125899906843136}, free_hash = {{first = 0x0, no =
>> 18446744073709551615}, {first = 0x7ff1ac5b64c0, no = 116}, {first =
>> 0x7ff1ac7fe468, no = 21}, {first = 0x7ff1ac7fe8f0, no = 6}, {first =
>> 0x7ff1ac7feca0, no = 2}, {first = 0x7ff1ac77a2a0, no = 3}, {first = 0x0,
>> no = 0}, {first = 0x7ff1ac7fe4f8, no = 52}, {first = 0x7ff1ac77a420, no
>> = 13}, {first = 0x7ff1ac7d50c8, no = 3}, {first = 0x7ff1ac803658, no =
>> 3}, {first = 0x0, no = 0}, {first = 0x7ff1ac800aa8, no = 1}, {first =
>> 0x7ff1ac7ff360, no = 6}, {first = 0x7ff1ac8039a8, no = 3}, {first =
>> 0x7ff1ac8012c8, no = 1}, {first = 0x0, no = 0}, {first = 0x7ff1ac8021e8,
>> no = 1}, {first = 0x7ff1ac803518, no = 1}, {first = 0x7ff1ac8002d8, no =
>> 1}, {first = 0x7ff1ac7ff030, no = 3}, {first = 0x0, no = 0}, {first =
>> 0x7ff1ac7ffb90, no = 1}, {first = 0x0, no = 0}, {first = 0x7ff1ac803170,
>> no = 2}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no
>> = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no =
>> 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first =
>> 0x7ff1ac803268, no = 1}, {first = 0x0, no = 0}, {first = 0x0, no = 0},
>> {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0},
>> {first = 0x7ff1ac7ffde8, no = 1}, {first = 0x0, no = 0}, {first = 0x0,
>> no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no
>> = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no =
>> 0}, {first = 0x7ff1ac800f98, no = 1}, {first = 0x0, no = 0} <repeats 15
>> times>, {first = 0x7ff1ac802718, no = 5}, {first = 0x0, no = 0}, {first
>> = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first =
>> 0x0, no = 0}, {first = 0x7ff1ac803a50, no = 1}, {first = 0x0, no = 0},
>> {first = 0x0, no = 0}, {first = 0x7ff1ac804348, no = 1}, {first = 0x0,
>> no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no
>> = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first =
>> 0x7ff1ac804800, no = 1}, {first = 0x0, no = 0}, {first = 0x0, no = 0},
>> {first = 0x7ff1ac804cf0, no = 1}, {first = 0x0, no = 0} <repeats 34
>> times>, {first = 0x7ff1ac802950, no = 1}, {first = 0x0, no = 0}, {first
>> = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first =
>> 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first =
>> 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7ff1ac801378, no = 2},
>> {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7ff1ac8017b0,
>> no = 1}, {first = 0x7ff1ac803cb8, no = 1}, {first = 0x0, no = 0}
>> <repeats 34 times>, {first = 0x7ff1ac805510, no = 1}, {first =
>> 0x7ff1ac805a80, no = 1}, {first = 0x0, no = 0}, {first = 0x0, no = 0},
>> {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0},
>> {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0},
>> {first = 0x0, no = 0}, {first = 0x7ff1ac805ff8, no = 1}, {first = 0x0,
>> no = 0}, {first = 0x0, no = 0}, {first = 0x7ff1ac8065c0, no = 1}, {first
>> = 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x0, no = 0}, {first =
>> 0x0, no = 0}, {first = 0x0, no = 0}, {first = 0x7ff1ac806ba0, no = 1},
>> {first = 0x0, no = 0} <repeats 1869 times>, {first = 0x7ff1ac8071b0, no
>> = 1}, {first = 0x0, no = 0} <repeats 40 times>, {first = 0x7ff1ac803388,
>> no = 1}}}
>>
>> 2) *frag
>>
>> (gdb) print *frag
>> $4 = {size = 232, u = {nxt_free = 0x0, reserved = 0}, prv_free = 0x0,
>> file = 0x75d29c "<core>: parser/msg_parser.c", func = 0x760150
>> "get_hdr_field", line = 116, check = 4042322160}
>>
>> -- Alex
>>
>
>

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com

More information about the sr-dev mailing list