[sr-dev] kamailio 4.4.1 crash on bad sip response

David Escartín Almudévar descartin at bts.io
Mon Mar 27 10:36:49 CEST 2017


hello all, Daniel

checking the core with the gdb, we have checked the variables at the
frames of the backtrace, to try to get the full sip message seems it
seemed truncated.
checking the buf variable of the frame 11 which theorically contains the
sip msg to parse we have the string


SIP/2.0 487 Request Terminated\r\nFrom: \"881237046977
\"<sip:881237046977 at 79.170.68.185;user=phone>;tag=B7jgc8jQ4m5pB\r\nTo:
<sip:5926053324 at 79.170.68.186:5060>;tag=e0d50be-13c4-58d47cba-a2ed9808-36fa\r\nl\337K\016\213\347: \344\003\r\nCSeq: 104824272 INVITE\r\nVia: SIP/2.0/UDP L\263\264\016\020?\337\v\234\262\264\016 ;branch=\327\f\340\r\nVia: SIP/2.0/UDP \020?\337\v\234\262\264\016 :5080;received=;rport=5080;branch=\020?\337\v\234\262\264\016 \r\nContent-Length: 0\r\n\r\n

this is i guess how gdb parses the message, so i guess i cannot
introduce this like that in a xml sipp formal, since CRLF is represented
as \r\n, so others parts like l\337K\016\213\347: \344\003 i have no
idea what they are, because they also seem to be out of the ASCII table
¿?
anycase, seems the message is very bad formed, and the kamailio tries to
resolve the host of the Via and it gets nothing, so the function
get_hash1_case_raw is fed by a nul value and seems that the reason it
crashes

hope you can retrieve information from that message to find out what
kind of message it exactly is and see if it's possible to avoid
kamailio's crash in this scenario


best regards
david



El vie, 24-03-2017 a las 12:10 +0100, David Escartín Almudévar escribió:

> hello all 
> 
> we have experienced a crash and tracing the logs and the core, seems
> it was because a sip response from an endpoint.
> a UDP receiver (26248) crashed and the last message we see on it is a
> 487 quite bad formed
> 
> Mar 24 01:58:02
> mia-proxy-inout-1-stby /usr/local/kamailio/sbin/kamailio[26248]:
> ERROR: tm [t_lookup.c:1055]: t_check_msg(): ERROR: reply doesn't have
> a via, cseq or call-id header
> Mar 24 01:58:17
> mia-proxy-inout-1-stby /usr/local/kamailio/sbin/kamailio[26230]:
> ALERT: <core> [main.c:739]: handle_sigs(): child process 26248 exited
> by a signal 11
> 
> 
> the backtrace of the core
> (gdb) backtrace
> #0  0x0000000000457ab9 in get_hash1_case_raw (s=0x0, len=0) at
> hashes.h:210
> #1  0x000000000045b472 in _dns_hash_find (name=0x7f6906943188, type=1,
> h=0x7fff120793cc, err=0x7fff120793ac) at dns_cache.c:535
> #2  0x0000000000461285 in dns_hash_get (name=0x7f6906943188, type=1,
> h=0x7fff120793cc, err=0x7fff120793ac) at dns_cache.c:762
> #3  0x0000000000467194 in dns_get_entry (name=0x7f6906943188, type=1)
> at dns_cache.c:2102
> #4  0x0000000000468a05 in dns_a_get_he (name=0x7f6906943188) at
> dns_cache.c:2432
> #5  0x0000000000468bb9 in dns_get_he (name=0x7f6906943188, flags=1) at
> dns_cache.c:2505
> #6  0x00000000004696c4 in dns_srv_sip_resolvehost
> (name=0x7f6906943188, port=0x7fff120795e2, proto=0x7fff120795e1 "\001
> \330\023") at dns_cache.c:2679
> #7  0x000000000046aa37 in dns_sip_resolvehost (name=0x7f6906943188,
> port=0x7fff120795e2, proto=0x7fff120795e1 "\001\330\023") at
> dns_cache.c:2849
> #8  0x000000000049519e in update_sock_struct_from_via
> (to=0x7fff12079708, msg=0x7f69069a1dd8, via=0x7f69068f82a8) at
> forward.c:704
> #9  0x0000000000495ee5 in do_forward_reply (msg=0x7f69069a1dd8,
> mode=0) at forward.c:766
> #10 0x00000000004970af in forward_reply (msg=0x7f69069a1dd8) at
> forward.c:849
> #11 0x00000000005197ef in receive_msg (
>     buf=0xab0d80 "SIP/2.0 487 Request Terminated\r\nFrom: \"8888888888
> \"<sip:8888888888 at 7.7.7.7;user=phone>;tag=B7jgc8jQ4m5pB\r\nTo:
> <sip:555555555 at 8.8.8.8:5060>;tag=e0d50be-13c4-58d47cba-a2ed9808-36fa\r
> \nl\337K\016"..., len=367, rcv_info=0x7fff12079a10) at receive.c:299
> #12 0x0000000000627b43 in udp_rcv_loop () at udp_server.c:495
> #13 0x00000000004b107a in main_loop () at main.c:1600
> #14 0x00000000004b842f in main (argc=13, argv=0x7fff12079fb8) at
> main.c:2616
> 
> 
> i have tried to duplicate the issue, but i dont know how to translate
> l\337K\016 to a xml notation
> i guess this is some weird that cannot be processed for kamailio
> 
> could you please take a look and let me know if you know how to
> duplicate and fix this crash?
> 
> thanks a lot and regards
> david



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20170327/fb14858b/attachment.html>


More information about the sr-dev mailing list