[sr-dev] Kamailio crashes when using replace_body_atonce from Textops

denis at dilvest.com denis at dilvest.com
Wed Jun 17 23:39:38 CEST 2015 

update + workaround

replace_body_atonce function is very similar to replace_body_all but is
replace_body_atonce is defined to use fixup_regexpNL_none for incoming
parameters processing. Apparantly something in fixup_regexpNL_none is
causing the issue because when I change definition for replace_body_atonce
to use fixup_regexp_none (just like its "sister" function replace_body_all)
everything is working fine and no crash.

I am not sure about significance of fixup_regexpNL_none as it is not used by
any other function but replace_body_atonce however, as workaround I ended up
utilizing replace_body_all for my search + replace needs.

As far as fixup_regexpNL_none; I see it uses regcomp but I do not see a call
to regfee... So that is might be the root cause of the memory issue. 

-----Original Message-----
From: denis at dilvest.com [mailto:denis at dilvest.com] 
Sent: Wednesday, June 17, 2015 4:59 PM
To: 'sr-dev at lists.sip-router.org'
Subject: RE: Kamailio crashes when using replace_body_atonce from Textops

upon further tracing it looks like crash happens in action.c
MODF_RVE_PARAM_FREE when calling pkg_free((dst)[i+2].u.data); 

-----Original Message-----
From: denis at dilvest.com [mailto:denis at dilvest.com]
Sent: Wednesday, June 17, 2015 1:25 PM
To: 'sr-dev at lists.sip-router.org'
Subject: Kamailio crashes when using replace_body_atonce from Textops

Hi,

Need some help resolving Kamailio crash.

Kamailio version 4.1 on Centos (uname -r "Linux 2.6.18-164.11.1.el5")

The issue:
I want to replace text in the message body using replace_body_atonce from
TextOps module

Works fine when called like:
	replace_body_atonce("123456789","000");

Works fine when called like:
	$var(replacewith)="000";
	replace_body_atonce("123456789",$var(replacewith));

However, Kamailio crashes when called like
	$var(findwhat)="123456789";
	$var(replacewith)="000";
	replace_body_atonce($var(findwhat),$var(replacewith));

The following is in the log
Jun 17 16:21:08 tms /usr/local/sbin/kamailio[18614]: ERROR: textops
[textops.c:570]: do_replace_body_f(): exit Jun 17 16:21:08 tms
/usr/local/sbin/kamailio[18614]: : <core> [mem/q_malloc.c:454]: qm_free():
BUG: qm_free: bad pointer 0xc0c0c0c0 (out of memory block!) called from
<core>: action.c: do_action(1164) - aborting Jun 17 16:21:08 tms
/usr/local/sbin/kamailio[18612]: ALERT: <core> [main.c:778]: handle_sigs():
child process 18614 exited by a signal 6 Jun 17 16:21:08 tms
/usr/local/sbin/kamailio[18612]: ALERT: <core> [main.c:781]: handle_sigs():
core was not generated

For some reason no core dump is generated ( i have tried "ulimit -c
unlimited" and "echo "1" > /proc/sys/kernel/core_uses_pid"). However, I
added log entry right before replace_body_atonce returns and I do see that
replace_body_atonce completes and returns but then crashes.

I can easily reproduce the issue. Please let me know if you have some
suggestion to try (even in the code as I can recompile it).

Thanks,
Denis

More information about the sr-dev mailing list