[sr-dev] Segfault in pua_dialoginfo

[Charles Chance]

Hello,

I am investigating a crash which is happening since:

commit 0c11f4f9c235bf791ac39446c293483462a99354
Author: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Mon Dec 29 22:26:46 2014 +0100

    pua_dialoginfo: load dialogs for dialoginfo event upon restart

    - based on a patch by Kristian Høgh, FS#360



The problem appears to be that in this function of pua_dialoginfo.c...


static void
__dialog_created(struct dlg_cell *dlg, int type, struct dlg_cb_params
*_params)
{
        struct sip_msg *request = _params->req;
        struct dlginfo_cell *dlginfo;

        if (request->REQ_METHOD != METHOD_INVITE)
                return;

        if(send_publish_flag > -1 && !(request->flags &
(1<<send_publish_flag)))
                return;

        LM_DBG("new INVITE dialog created: from=%.*s\n", dlg->from_uri.len,
dlg->from_uri.s);

        dlginfo=get_dialog_data(dlg, type);
        if(dlginfo==NULL)
                return;

        dialog_publish_multi("Trying", dlginfo->pubruris_caller,
                                &(dlg->from_uri),

(include_req_uri)?&(dlg->req_uri):&(dlg->to_uri),
                                &(dlg->callid), 1, dlginfo->lifetime,
                                0, 0, 0, 0, (send_publish_flag==-1)?1:0);
        free_dlginfo_cell(dlginfo);

}


...dlginfo is freed, but is still being referenced in the callback
registered here...


struct dlginfo_cell* get_dialog_data(struct dlg_cell *dlg, int type)
{
...
        /* register dialog callbacks which triggers sending PUBLISH */
        if (dlg_api.register_dlgcb(dlg,
                                DLGCB_FAILED| DLGCB_CONFIRMED_NA |
DLGCB_TERMINATED
                                | DLGCB_EXPIRED | DLGCB_REQ_WITHIN |
DLGCB_EARLY,
                                __dialog_sendpublish, dlginfo,
free_dlginfo_cell) != 0) {
                LM_ERR("cannot register callback for interesting dialog
types\n");
                free_dlginfo_cell(dlginfo);
                return NULL;
        }
...
        return(dlginfo);
}



Can the freeing of this structure simply be left up to the dialog module
when the dialog is eventually destroyed?

All the best,
Charles

-- 
www.sipcentric.com

Follow us on twitter @sipcentric <http://twitter.com/sipcentric>

Sipcentric Ltd. Company registered in England & Wales no. 7365592. Registered 
office: Faraday Wharf, Innovation Birmingham Campus, Holt Street, 
Birmingham Science Park, Birmingham B7 4BB.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20150108/7b9ca6d7/attachment.html>