[sr-dev] [kamailio] kamailio 4.3 crash in update_dialog_vars_dbinfo (#301)

MayamaTakeshi notifications at github.com
Wed Sep 9 09:36:25 CEST 2015 

Here is the gdb output for crash using commit 2962852bf706692bdbc9b51419dbdc2012f34e1b

```
(gdb) frame 0
#0  0x00007f3a36b4d5ac in update_dialog_vars_dbinfo (cell=0x7f3a23da0df8, var=0x3433) at dlg_db_handler.c:652
652		SET_STR_VALUE(values+2, var->key);
(gdb) p *cell
$1 = {ref = 1, next = 0x0, prev = 0x0, h_id = 2296, h_entry = 2580, state = 1, lifetime = 10800, init_ts = 1441585434, start_ts = 0, dflags = 0, iflags = 0, sflags = 0, toroute = 0, toroute_name = {
    s = 0x0, len = 0}, from_rr_nb = 0, tl = {next = 0x0, prev = 0x0, timeout = 0}, callid = {
    s = 0x7f3a23da0f58 "45-22528 at 192.168.0.190sip:user1 at test1.comsip:09011112222 at 192.168.2.189:5060sip:09011112222 at 192.168.2.190:5030030168.2.190:5030:101 0-15\r\na=sendrecv\r\n", len = 22}, from_uri = {
    s = 0x7f3a23da0f6e "sip:user1 at test1.comsip:09011112222 at 192.168.2.189:5060sip:09011112222 at 192.168.2.190:5030030168.2.190:5030:101 0-15\r\na=sendrecv\r\n", len = 19}, to_uri = {
    s = 0x7f3a23da0f81 "sip:09011112222 at 192.168.2.189:5060sip:09011112222 at 192.168.2.190:5030030168.2.190:5030:101 0-15\r\na=sendrecv\r\n", len = 34}, req_uri = {
    s = 0x7f3a23da0fa3 "sip:09011112222 at 192.168.2.190:5030030168.2.190:5030:101 0-15\r\na=sendrecv\r\n", len = 34}, tag = {{s = 0x7f3a23b63558 "22528SIPpTag0045(", len = 16}, {s = 0x0, len = 0}}, cseq = {
    {s = 0x7f3a23b88510 "802r1", len = 3}, {s = 0x0, len = 0}}, route_set = {{s = 0x0, len = 0}, {s = 0x0, len = 0}}, contact = {{s = 0x7f3a23b93398 "sip:user1 at 192.168.2.50:5010", len = 27}, {s = 0x0, 
      len = 0}}, bind_addr = {0x7f3a39c0d730, 0x0}, cbs = {first = 0x7f3a23b6aac8, types = 41172}, profile_links = 0x7f3a23b6d600, vars = 0x7f3a23e27f48}
(gdb) p *cell->vars
$2 = {key = {s = 0x7f3a239c2d28 "answer_time", len = 11}, value = {s = 0x7f3a23a5fbf0 "1441585434.599", len = 14}, vflags = 0, next = 0x7f3a23efff50}
(gdb) set $p=cell->vars->next
(gdb) while ($p != 0)
 >p *$p
 >set $p=$p->next
 >end
$3 = {key = {s = 0x7f3a23a6da10 "calling_number", len = 14}, value = {s = 0x7f3a23d8fd20 "0312341234", len = 10}, vflags = 0, next = 0x7f3a23d6eb88}
$4 = {key = {s = 0x7f3a23d9aa08 "destination", len = 11}, value = {s = 0x7f3a23ca6428 "09011112222", len = 11}, vflags = 0, next = 0x7f3a239cb390}
$5 = {key = {s = 0x7f3a23aece40 "caller_username", len = 15}, value = {s = 0x7f3a23bbfb70 "user1", len = 5}, vflags = 0, next = 0x7f3a23a9b670}
$6 = {key = {s = 0x7f3a23c71d18 "caller_domain", len = 13}, value = {s = 0x7f3a23db6ff0 "test1.com", len = 9}, vflags = 0, next = 0x7f3a23dae4c0}
$7 = {key = {s = 0x7f3a23ea1b70 "start_time", len = 10}, value = {s = 0x7f3a23b6d838 "2015-09-07 09:24:00", len = 19}, vflags = 0, next = 0x0}
(gdb) frame 1
#1  0x00007f3a36b4e110 in update_dialog_dbinfo_unsafe (cell=0x7f3a23da0df8) at dlg_db_handler.c:720
720				if (update_dialog_vars_dbinfo(cell, var) != 0)
(gdb) info locals
i = 6
var = 0x3433
jdoc = {root = 0x7ffd1b5c8360, flags = 1, buf = {s = 0x7ffd1b5c5da4 "\001", len = 918097505}, malloc_fn = 0x1b5c5d20, free_fn = 0x400}
values = {{type = 968806416, nul = 32570, free = 968806776, val = {int_val = 952365092, ll_val = 139888037195812, double_val = 6.9113873442613175e-310, time_val = 139888037195812, 
      string_val = 0x7f3a38c3f024 "db_free_result", str_val = {s = 0x7f3a38c3f024 "db_free_result", len = -1}, blob_val = {s = 0x7f3a38c3f024 "db_free_result", len = -1}, bitmap_val = 952365092}}, {
    type = 459037504, nul = 32765, free = 5553258, val = {int_val = 971126424, ll_val = 139888055957144, double_val = 6.9113882711942786e-310, time_val = 139888055957144, string_val = 0x7f3a39e23698 "8", 
      str_val = {s = 0x7f3a39e23698 "8", len = 971126480}, blob_val = {s = 0x7f3a39e23698 "8", len = 971126480}, bitmap_val = 971126424}}, {type = 943010100, nul = 960050485, free = 0, val = {
      int_val = 459037424, ll_val = 17638906608, double_val = 8.7147777852149514e-314, time_val = 17638906608, string_val = 0x41b5c5af0 <Address 0x41b5c5af0 out of bounds>, str_val = {
        s = 0x41b5c5af0 <Address 0x41b5c5af0 out of bounds>, len = 971126480}, blob_val = {s = 0x41b5c5af0 <Address 0x41b5c5af0 out of bounds>, len = 971126480}, bitmap_val = 459037424}}, {
    type = 4284160, nul = 0, free = 0, val = {int_val = 24, ll_val = 206158430232, double_val = 1.0185579797819065e-312, time_val = 206158430232, 
      string_val = 0x3000000018 <Address 0x3000000018 out of bounds>, str_val = {s = 0x3000000018 <Address 0x3000000018 out of bounds>, len = 459038176}, blob_val = {
        s = 0x3000000018 <Address 0x3000000018 out of bounds>, len = 459038176}, bitmap_val = 24}}, {type = 459037984, nul = 32765, free = 459045808, val = {int_val = 1, ll_val = 4294967297, 
      double_val = 2.121995791459338e-314, time_val = 4294967297, string_val = 0x100000001 <Address 0x100000001 out of bounds>, str_val = {s = 0x100000001 <Address 0x100000001 out of bounds>, 
        len = 968806416}, blob_val = {s = 0x100000001 <Address 0x100000001 out of bounds>, len = 968806416}, bitmap_val = 1}}, {type = 968844264, nul = 32570, free = 0, val = {int_val = 0, ll_val = 0, 
      double_val = 0, time_val = 0, string_val = 0x0, str_val = {s = 0x0, len = 0}, blob_val = {s = 0x0, len = 0}, bitmap_val = 0}}, {type = 459047776, nul = 32765, free = 968844320, val = {
      int_val = 968844320, ll_val = 139888053675040, double_val = 6.91138815844336e-310, time_val = 139888053675040, string_val = 0x7f3a39bf6420 "\200jb\002", str_val = {s = 0x7f3a39bf6420 "\200jb\002", 
        len = 4284160}, blob_val = {s = 0x7f3a39bf6420 "\200jb\002", len = 4284160}, bitmap_val = 968844320}}, {type = DB1_INT, nul = 10, free = 0, val = {int_val = 0, ll_val = 140724603453440, 
      double_val = 6.9527192090977147e-310, time_val = 140724603453440, string_val = 0x7ffd00000000 <Address 0x7ffd00000000 out of bounds>, str_val = {
        s = 0x7ffd00000000 <Address 0x7ffd00000000 out of bounds>, len = 956686756}, blob_val = {s = 0x7ffd00000000 <Address 0x7ffd00000000 out of bounds>, len = 956686756}, bitmap_val = 0}}, {
    type = 598080440, nul = 32570, free = 584531968, val = {int_val = 4284160, ll_val = 498220490496, double_val = 2.4615362840824888e-312, time_val = 498220490496, 
      string_val = 0x7400415f00 <Address 0x7400415f00 out of bounds>, str_val = {s = 0x7400415f00 <Address 0x7400415f00 out of bounds>, len = 918218504}, blob_val = {
        s = 0x7400415f00 <Address 0x7400415f00 out of bounds>, len = 918218504}, bitmap_val = 4284160}}, {type = 918215305, nul = 4, free = 7783856, val = {int_val = 598080440, ll_val = 139887682911160, 
      double_val = 6.9113698402737773e-310, time_val = 139887682911160, string_val = 0x7f3a23a5fbb8 "\020", str_val = {s = 0x7f3a23a5fbb8 "\020", len = 584531968}, blob_val = {s = 0x7f3a23a5fbb8 "\020", 
        len = 584531968}, bitmap_val = 598080440}}, {type = DB1_INT, nul = 0, free = 598080440, val = {int_val = 459037744, ll_val = 140725062491184, double_val = 6.9527418885756602e-310, 
      time_val = 140725062491184, string_val = 0x7ffd1b5c5c30 "\200\\\\\033\375\177", str_val = {s = 0x7ffd1b5c5c30 "\200\\\\\033\375\177", len = 6466558}, blob_val = {
        s = 0x7ffd1b5c5c30 "\200\\\\\033\375\177", len = 6466558}, bitmap_val = 459037744}}, {type = 927521223, nul = 32570, free = 459037952, val = {int_val = 255, ll_val = 255, 
      double_val = 1.2598673968951787e-321, time_val = 255, string_val = 0xff <Address 0xff out of bounds>, str_val = {s = 0xff <Address 0xff out of bounds>, len = 0}, blob_val = {
        s = 0xff <Address 0xff out of bounds>, len = 0}, bitmap_val = 255}}, {type = 929725344, nul = 32570, free = -1115228334, val = {int_val = -72515583, ll_val = 140728825905153, 
      double_val = 6.9529278259309764e-310, time_val = 140728825905153, string_val = 0x7ffdfbad8001 <Address 0x7ffdfbad8001 out of bounds>, str_val = {
        s = 0x7ffdfbad8001 <Address 0x7ffdfbad8001 out of bounds>, len = 929725344}, blob_val = {s = 0x7ffdfbad8001 <Address 0x7ffdfbad8001 out of bounds>, len = 929725344}, bitmap_val = 4222451713}}, {
    type = 929725344, nul = 32570, free = 1, val = {int_val = 918218504, ll_val = 139888003049224, double_val = 6.9113856571957121e-310, time_val = 139888003049224, 
      string_val = 0x7f3a36bae708 "new_dlg_var", str_val = {s = 0x7f3a36bae708 "new_dlg_var", len = 918215305}, blob_val = {s = 0x7f3a36bae708 "new_dlg_var", len = 918215305}, bitmap_val = 918218504}}, {
    type = 16, nul = 0, free = 584531968, val = {int_val = 584532328, ll_val = 4879499624, double_val = 2.4107931331136797e-314, time_val = 4879499624, 
      string_val = 0x122d74168 <Address 0x122d74168 out of bounds>, str_val = {s = 0x122d74168 <Address 0x122d74168 out of bounds>, len = 584565936}, blob_val = {
        s = 0x122d74168 <Address 0x122d74168 out of bounds>, len = 584565936}, bitmap_val = 584532328}}, {type = 459037744, nul = 32765, free = 918089567, val = {int_val = 0, ll_val = 0, double_val = 0, 
      time_val = 0, string_val = 0x0, str_val = {s = 0x0, len = 15}, blob_val = {s = 0x0, len = 15}, bitmap_val = 0}}, {type = 4284160, nul = 0, free = 584565936, val = {int_val = 0, ll_val = 0, 
      double_val = 0, time_val = 0, string_val = 0x0, str_val = {s = 0x0, len = 0}, blob_val = {s = 0x0, len = 0}, bitmap_val = 0}}, {type = 459037824, nul = 32765, free = 918089739, val = {
      int_val = 918178514, ll_val = 499134384850, double_val = 2.4660515221248855e-312, time_val = 499134384850, string_val = 0x7436ba4ad2 <Address 0x7436ba4ad2 out of bounds>, str_val = {
        s = 0x7436ba4ad2 <Address 0x7436ba4ad2 out of bounds>, len = 918218504}, blob_val = {s = 0x7436ba4ad2 <Address 0x7436ba4ad2 out of bounds>, len = 918218504}, bitmap_val = 918178514}}, {
    type = 918215305, nul = 32570, free = 584531968, val = {int_val = -1, ll_val = 4294967295, double_val = 2.1219957904712067e-314, time_val = 4294967295, 
      string_val = 0xffffffff <Address 0xffffffff out of bounds>, str_val = {s = 0xffffffff <Address 0xffffffff out of bounds>, len = 598080496}, blob_val = {
        s = 0xffffffff <Address 0xffffffff out of bounds>, len = 598080496}, bitmap_val = 4294967295}}, {type = 459038016, nul = 32765, free = 14, val = {int_val = 459037952, ll_val = 140725062491392, 
      double_val = 6.9527418885859368e-310, time_val = 140725062491392, string_val = 0x7ffd1b5c5d00 "\244]\\\033\375\177", str_val = {s = 0x7ffd1b5c5d00 "\244]\\\033\375\177", len = 918096116}, 
      blob_val = {s = 0x7ffd1b5c5d00 "\244]\\\033\375\177", len = 918096116}, bitmap_val = 459037952}}, {type = 459037968, nul = 32765, free = 6403297, val = {int_val = 459038320, 
      ll_val = 140725062491760, double_val = 6.9527418886041184e-310, time_val = 140725062491760, string_val = 0x7ffd1b5c5e70 "", str_val = {s = 0x7ffd1b5c5e70 "", len = 876528715}, blob_val = {
        s = 0x7ffd1b5c5e70 "", len = 876528715}, bitmap_val = 459038320}}, {type = 459038336, nul = 32765, free = 929650944, val = {int_val = 599173776, ll_val = 139887684004496, 
      double_val = 6.911369894291753e-310, time_val = 139887684004496, string_val = 0x7f3a23b6aa90 "(", str_val = {s = 0x7f3a23b6aa90 "(", len = 602046280}, blob_val = {s = 0x7f3a23b6aa90 "(", 
        len = 602046280}, bitmap_val = 599173776}}, {type = 599, nul = 0, free = 459038272, val = {int_val = 14, ll_val = 14, double_val = 6.9169190417774516e-323, time_val = 14, 
      string_val = 0xe <Address 0xe out of bounds>, str_val = {s = 0xe <Address 0xe out of bounds>, len = 4284160}, blob_val = {s = 0xe <Address 0xe out of bounds>, len = 4284160}, bitmap_val = 14}}}
insert_keys = {0x7f3a36db3dc0, 0x7f3a36db3db0, 0x7f3a36db3d60, 0x7f3a36db3d70, 0x7f3a36db3d80, 0x7f3a36db3d90, 0x7f3a36db3da0, 0x7f3a36db3e70, 0x7f3a36db3e60, 0x7f3a36db3de0, 0x7f3a36db3dd0, 
  0x7f3a36db3df0, 0x7f3a36db3e10, 0x7f3a36db3e00, 0x7f3a36db3e50, 0x7f3a36db3e40, 0x7f3a36db3e30, 0x7f3a36db3e20, 0x7f3a36db3e80, 0x7f3a36db3ea0, 0x7f3a36db3eb0, 0x7f3a36db3ec0, 0x7f3a36db3e90}
__FUNCTION__ = "update_dialog_dbinfo_unsafe"
(gdb) 
```


About access to the server, I am asking our network/security team if this access can be granted.
This might take some time, so meanwhile, I am trying to reproduce this in two VMs at DigitalOcean but no luck so far (in the lab, i am using kvm and vmware hosts and the crash happens easily in both of them.





---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/301#issuecomment-138813002
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20150909/c38962b5/attachment-0001.html>

More information about the sr-dev mailing list