[sr-dev] [kamailio] Bad usage of presence, xcap server and pidf-manipulation makes Kamailio crash (#441)

foucse notifications at github.com
Mon Dec 14 11:40:47 CET 2015 

Hi everyone,

```
version: kamailio 440-dev7 (i386/linux) c73b9c-dirty
flags: STATS: Off, EXTRA_DEBUG, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select
id: c73b9c -dirty
compiled on 10:17:41 Dec 14 2015 with gcc 493
```

A call of "pres_refresh_watchers" on a malformed (empty) pidf document makes Kamailio crash Steps to reproduce:

1 Send a PUT of an empty PIDF document on /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index

2 Then try to process it with pres_refresh_watchers("$var(uri)", "presence", 2, "$xcapuri(u=>uri_adoc)", "$xcapuri(u=>file)")

3 Kamailio crashes with the following messages in logs:

```
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: request [HTTP/11] PUT => /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Accessing XCAP root
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Parsed XCAP URI : {data : /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index, uri : /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index, auid : pidf-manipulation, root : /xcap-root/, type : 16, xuid : sip:alice at exampleorg, file : index, node : <null>, target : <null>, domain : /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index, uri_adoc : /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index}
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Validating user URI
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: User URI is valid
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: PUT sip:alice at exampleorg
Dec 14 11:10:41 kamailio-0[9460]: ERROR: xcap_server [xcap_serverc:574]: w_xcaps_put(): invalid body parameter
Dec 14 11:10:41 kamailio-0[9460]: ERROR: presence [presentityc:844]: update_presentity(): No E_Tag match index
Dec 14 11:10:41 kamailio-0[9365]: ALERT: <core> [mainc:738]: handle_sigs(): child process 9460 exited by a signal 11
Dec 14 11:10:41 kamailio-0[9365]: ALERT: <core> [mainc:741]: handle_sigs(): core was generated
```

We got an error with "invalid body parameter" which is good but this wont prevent Kamailio from continuing and crashing

Here is a config code snippet:

```
[]
xcaps_put("$var(uri)", "$hu", "$rb");
pres_refresh_watchers("$var(uri)", "presence", 2, "$xcapuri(u=>uri_adoc)", "$xcapuri(u=>file)");
[]
```

Maybe "xcaps_put" return value maybe used to prevent such issues But my opinion is that it should not crash

Here is the stack trace:

```
Program terminated with signal SIGSEGV, Segmentation fault
#0  0xb1ab8a4d in update_hard_presentity (pres_uri=0xbffd5710, event=0xb2623ae8, file_uri=0xbffd5720, filename=0xbffd5728) at publishc:592
592                     if(pidf_doc->s)
(gdb) bt
#0  0xb1ab8a4d in update_hard_presentity (pres_uri=0xbffd5710, event=0xb2623ae8, file_uri=0xbffd5720, filename=0xbffd5728) at publishc:592
#1  0xb1a8833b in pres_refresh_watchers (pres=0xbffd5710, event=0xbffd5718, type=2, file_uri=0xbffd5720, filename=0xbffd5728) at presencec:691
#2  0xb1a96ded in w_pres_refresh_watchers5 (msg=0xbffd6a58, puri=0xb6e15a78 "\260\274", <incomplete sequence \341\266>, pevent=0xb6e15aec "\344\225\341\266 ",
    ptype=0xb6e15b2c "x\220\341\266\001", furi=0xb6e730dc "", fname=0xb6e73150 <incomplete sequence \341\266>) at presencec:1722
#3  0x08062367 in do_action (h=0xbffd69b0, a=0xb6e1a2c4, msg=0xbffd6a58) at actionc:1087
#4  0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6e17b34, msg=0xbffd6a58) at actionc:1549
#5  0x0806a717 in do_action (h=0xbffd69b0, a=0xb6e2c64c, msg=0xbffd6a58) at actionc:1301
#6  0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6e2c64c, msg=0xbffd6a58) at actionc:1549
#7  0x0806a717 in do_action (h=0xbffd69b0, a=0xb6e55490, msg=0xbffd6a58) at actionc:1301
#8  0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6df39e0, msg=0xbffd6a58) at actionc:1549
#9  0x08062021 in do_action (h=0xbffd69b0, a=0xb6e5566c, msg=0xbffd6a58) at actionc:1045
#10 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6ded644, msg=0xbffd6a58) at actionc:1549
#11 0xb1da33a5 in xhttp_process_request (orig_msg=0xb6e87774,
    new_buf=0xb6e87d40 "PUT /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index HTTP/11\r\nVia: SIP/20/TCP 1921681501:40618\r\nHost: xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: p", new_len=331) at xhttp_modc:282
#12 0xb1da42af in xhttp_handler (msg=0xb6e87774) at xhttp_modc:357
#13 0x081127ab in nonsip_msg_run_hooks (msg=0xb6e87774) at nonsip_hooksc:111
#14 0x081368b1 in receive_msg (
    buf=0x9cdf838 "PUT /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index HTTP/11\r\nHost: xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: python-requests/270 CPython/276 Lin", len=293, rcv_info=0xb26398ac) at receivec:145
#15 0x08208f85 in receive_tcp_msg (
    tcpbuf=0xb2639a68 "PUT /xcap-root/pidf-manipulation/users/sip:alice at exampleorg/index HTTP/11\r\nHost: xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: python-requests/270 CPython/276 Lin", len=293, rcv_info=0xb26398ac, con=0xb2639898) at tcp_readc:1254
#16 0x0820bb37 in tcp_read_req (con=0xb2639898, bytes_read=0xbffd7208, read_flags=0xbffd720c) at tcp_readc:1410
#17 0x0820e346 in handle_io (fm=0xb6e788a4, events=1, idx=-1) at tcp_readc:1584
#18 0x082016c2 in io_wait_loop_epoll (h=0x8411480 <io_w>, t=2, repeat=0) at io_waith:1061
#19 0x0820fd0a in tcp_receive_loop (unix_sock=37) at tcp_readc:1754
#20 0x081f8fc8 in tcp_init_children () at tcp_mainc:4788
#21 0x080df306 in main_loop () at mainc:1679
#22 0x080e4ca1 in main (argc=17, argv=0xbffd7734) at mainc:2597
```

Tell me if you need more information ? Maybe the full stack

I think the error is here (presence/publishc:590-595) :

```
	if(pidf_doc)
	{
		if(pidf_doc->s)
			pkg_free(pidf_doc->s);
		pkg_free(pidf_doc);
	}
```

Maybe more validation should be done on "pidf_doc" before trying to access "pidf_doc->s" But I haven't investigated the issue more than that


---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/441
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20151214/663743b7/attachment.html>

More information about the sr-dev mailing list