[sr-dev] [kamailio/kamailio] carrierroute: segfault while fixup cr_route params (#1210)

Rick notifications at github.com
Thu Aug 10 10:57:06 CEST 2017 

<!--
Kamailio Project uses GitHub Issues only for bugs in the code or feature requests.

If you have questions about using Kamailio or related to its configuration file,
ask on sr-users mailing list:

  * http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

If you have questions about developing extensions to Kamailio or its existing
C code, ask on sr-dev mailing list

  * http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Please try to fill this template as much as possible for any issue. It helps the
developers to troubleshoot the issue.

If you submit a feature request (or enhancement), you can delete the text of
the template and only add the description of what you would like to be added.

If there is no content to be filled in a section, the entire section can be removed.

You can delete the comments from the template sections when filling.

You can delete next line and everything above before submitting (it is a comment).
-->

### Description

<!--
Explain what you did, what you expected to happen, and what actually happened.
-->
I tried to configure the carrierroute module with the description loaded from the database into an avp. But it crashes with a segfault while startup.

### Troubleshooting

#### Reproduction

<!--
If the issue can be reproduced, describe how it can be done.
-->

```
/* ----- carrierroute params ----------------------------------------------- */
modparam("carrierroute", "config_source", "db")
modparam("carrierroute", "db_url", ....)
modparam("carrierroute", "fetch_rows", 2000)
modparam("carrierroute", "db_load_description", 1)
modparam("carrierroute", "match_mode", 10)
modparam("carrierroute", "avoid_failed_destinations", 1)
```

```
if (cr_route("default", "default", "$(rU{s.strip,1})", "$rU", "call_id", "destination")) {
    ....
}
```

#### Debugging Data

<!--
If you got a core dump, use gdb to extract troubleshooting data - full backtrace,
local variables and the list of the code at the issue location.

  gdb /path/to/kamailio /path/to/corefile
  bt full
  info locals
  list

If you are familiar with gdb, feel free to attach more of what you consider to
be relevant.
-->

```
#0  avp_name_fixup (param=0x8018d1330) at cr_fixup.c:187
187		if (((gparam_p)(*param))->v.pve->spec->type == PVT_AVP &&
[New Thread 80165a600 (LWP 100186/<unknown>)]
(gdb) bt full
#0  avp_name_fixup (param=0x8018d1330) at cr_fixup.c:187
No locals.
#1  0x00000008072f0256 in cr_route_fixup (param=0x8018d1330, param_no=6) at cr_fixup.c:242
	my_hash_source = shs_call_id
#2  0x000000000073238e in fix_actions (a=0x8018d1258) at core/route.c:919
	t = (struct action *) 0x8018d1258
	p = (struct proxy_l *) 0xffffffff00000048
	tmp = 0x0
	tmp_p = (void *) 0x8018d1660
	ret = 0
	i = 5
	cmd = (sr31_cmd_export_t *) 0x80186dcd0
	s = {s = 0xffffffff00000000 <Address 0xffffffff00000000 out of bounds>, len = 0}
	he = (struct hostent *) 0x4
	ip = {af = 4859304, len = 0, u = {addrl = 0x7fffffff9be0, addr32 = 0x7fffffff9be0, addr16 = 0x7fffffff9be0, addr = 0x7fffffff9be0 "?"}}
	si = (struct socket_info *) 0x7fffffff9c10
	lval = (struct lvalue *) 0xffffffff00000001
	rve = (struct rval_expr *) 0x0
	err_rve = (struct rval_expr *) 0x1
	rve_type = RV_NONE
	err_type = 48625432
	expected_type = RV_NONE
	rv = (struct rvalue *) 0x9b6cf7
	rve_param_no = 0
#3  0x000000000068a1c4 in fix_rval (rv=0x8018d36c8, rve=0x8018d36c0) at core/rvalue.c:2873
No locals.
#4  0x000000000068843e in fix_rval_expr (p=0x8018d36c0) at core/rvalue.c:3797
	rve = (struct rval_expr *) 0x8018d36c0
	ret = 32767
#5  0x000000000072aa08 in fix_actions (a=0x8018c94d0) at core/route.c:706
	t = (struct action *) 0x8018d1d18
	p = (struct proxy_l *) 0x68341cdd25
	tmp = 0x3 <Address 0x3 out of bounds>
	tmp_p = (void *) 0x8018cc9c0
	ret = 0
	i = 1
	cmd = (sr31_cmd_export_t *) 0x801869de0
	s = {s = 0x8018cc9c0 "", len = 5}
	he = (struct hostent *) 0x9b6cf7
	ip = {af = 6302080, len = 0, u = {addrl = 0x7fffffffcfc0, addr32 = 0x7fffffffcfc0, addr16 = 0x7fffffffcfc0, addr = 0x7fffffffcfc0 ""}}
	si = (struct socket_info *) 0x7fffffffd0a0
	lval = (struct lvalue *) 0x800f42023
	rve = (struct rval_expr *) 0x8018d36c0
	err_rve = (struct rval_expr *) 0x0
	rve_type = RV_INT
	err_type = 9938251
	expected_type = 32767
	rv = (struct rvalue *) 0x8018ccf20
	rve_param_no = 0
#6  0x000000000073fd6d in fix_rl (rt=0xce3830) at core/route.c:2088
	i = 0
	ret = -12096
#7  0x000000000073fc37 in fix_rls () at core/route.c:2104
	ret = 4
#8  0x000000000043b0ae in main (argc=4, argv=0x7fffffffeb30) at main.c:2635
	cfg_stream = (FILE *) 0x8011fdc90
	c = -1
	r = 1
	tmp = 0x800f84aa2 "H\213\vH;M?u\aH\203?([]??\225!??f\017\037\204"
	tmp_len = 32767
	port = -5424
	proto = 0
	options = 0x979297 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
	ret = -1
	seed = 2763663412
	rfd = 4
	debug_save = 3
	debug_flag = 1
	dont_fork_cnt = 1
	n_lst = (struct name_lst *) 0x7fffffffeaa0
	p = 0x4 <Address 0x4 out of bounds>
	st = {st_dev = 93, st_ino = 160517, st_mode = 16832, st_nlink = 2, st_uid = 986, st_gid = 986, st_rdev = 332063, st_atim = {tv_sec = 1459764184, tv_nsec = 513386000}, 
  st_mtim = {tv_sec = 1502352532, tv_nsec = 990638000}, st_ctim = {tv_sec = 1502352532, tv_nsec = 990638000}, st_size = 512, st_blocks = 8, st_blksize = 32768, st_flags = 0, 
  st_gen = 3958570559, st_lspare = 0, st_birthtim = {tv_sec = 1459764184, tv_nsec = 513356000}}
Current language:  auto; currently minimal
```

#### Log Messages

<!--
Check the syslog file and if there are relevant log messages printed by Kamailio, add them next, or attach to issue, or provide a link to download them (e.g., to a pastebin site).
-->

```
 0(45720) DEBUG: <core> [core/route.c:872]: fix_actions(): fixing cr_route()
 0(45720) DEBUG: <core> [core/pvapi.c:419]: pv_spec_lookup(): PV <$(rU{s.strip,1})> is not in cache
 0(45720) DEBUG: <core> [core/pvapi.c:293]: pv_cache_add(): pvar [$(rU{s.strip,1})] added in cache
 0(45720) DEBUG: <core> [core/pvapi.c:321]: pv_cache_lookup(): pvar [$rU] found in cache
Segmentation fault (core dumped)
```

#### SIP Traffic

<!--
If the issue is exposed by processing specific SIP messages, grab them with ngrep or save in a pcap file, then add them next, or attach to issue, or provide a link to download them (e.g., to a pastebin site).
-->

```
none
```

### Possible Solutions

<!--
If you found a solution or workaround for the issue, describe it. Ideally, provide a pull request with a fix.
-->

### Additional Information

  * **Kamailio Version** - output of `kamailio -v`

```
# kamailio -v
version: kamailio 5.1.0-dev5 (x86_64/freebsd) 
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, select, kqueue.
id: unknown 
compiled on 16:54:24 Aug  9 2017 with clang 3.8
```

* **Operating System**:

<!--
Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...;
Kernel details (output of `uname -a`)
-->

```
# uname -a
FreeBSD hostname.com 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0: Tue Apr 11 08:48:40 UTC 2017     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1210
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20170810/6aa771ae/attachment-0001.html>

More information about the sr-dev mailing list