[sr-dev] [kamailio/kamailio] Crash in topoh module (#1735)
Alexandru Pirvulescu
notifications at github.com
Thu Nov 22 18:53:27 CET 2018
### Description
We have multiple SIP trunks aggregated in a Kamailio router. One of them misbehaves in a way that I fail to see and it crashes our Kamailio.
The conversation that triggers this bug is attached below.
### Troubleshooting
#### Reproduction
#### Debugging Data
```
(gdb) bt full
#0 0x00007ff687ef2571 in th_add_via_cookie (msg=0x7ffe78aa3700, via=0x0) at th_msg.c:944
l = 0x7ff6b355d910
viap = 2024421120
out = {s = 0x7ff6b3591ff0 "TH: uch\r\n", len = 9}
__func__ = "th_add_via_cookie"
#1 0x00007ff687ef4042 in th_add_cookie (msg=0x7ffe78aa3700) at th_msg.c:1049
No locals.
#2 0x00007ff687efcc90 in th_msg_received (evp=0x7ffe78aa3f60) at topoh_mod.c:381
msg = {id = 0, pid = 0, tval = {tv_sec = 0, tv_usec = 0}, fwd_send_flags = {f = 0, blst_imask = 0}, rpl_send_flags = {f = 0, blst_imask = 0},
first_line = {type = 2, flags = 1, len = 16, u = {request = {method = {
s = 0xa595a0 <buf> "SIP/2.0 200 OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len = 7}, uri = {
s = 0xa595a8 <buf+8> "200 OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len = 3}, version = {
s = 0xa595ac <buf+12> "OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len = 2}, method_value = 200}, reply = {version = {
s = 0xa595a0 <buf> "SIP/2.0 200 OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len = 7}, status = {
s = 0xa595a8 <buf+8> "200 OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len = 3}, reason = {
s = 0xa595ac <buf+12> "OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord---Type <return> to continue, or q <return> to quit---
-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len = 2}, statuscode = 200}}}, via1 = 0x0, via2 = 0x0, headers = 0x7ff6b3563dd0, last_header = 0x7ff6b3564e68,
parsed_flag = 18446744073709551615, h_via1 = 0x0, h_via2 = 0x0, callid = 0x7ff6b3591ba0, to = 0x7ff6b355dc90, cseq = 0x7ff6b355d280,
from = 0x7ff6b3563dd0, contact = 0x0, maxforwards = 0x0, route = 0x0, record_route = 0x7ff6b355c8f8, content_type = 0x0,
content_length = 0x7ff6b3564e68, authorization = 0x0, expires = 0x0, proxy_auth = 0x0, supported = 0x0, require = 0x0, proxy_require = 0x0,
unsupported = 0x0, allow = 0x0, event = 0x0, accept = 0x0, accept_language = 0x0, organization = 0x0, priority = 0x0, subject = 0x0,
user_agent = 0x0, server = 0x7ff6b355d328, content_disposition = 0x0, diversion = 0x0, rpid = 0x0, refer_to = 0x0, session_expires = 0x0,
min_se = 0x0, sipifmatch = 0x0, subscription_state = 0x0, date = 0x0, identity = 0x0, identity_info = 0x0, pai = 0x0, ppi = 0x0, path = 0x0,
privacy = 0x0, min_expires = 0x0, body = 0x0, eoh = 0xa59783 <buf+483> "\r\n", unparsed = 0xa59783 <buf+483> "\r\n", rcv = {src_ip = {af = 0,
len = 0, u = {addrl = {0, 0}, addr32 = {0, 0, 0, 0}, addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, addr = '\000' <repeats 15 times>}}, dst_ip = {af = 0,
len = 0, u = {addrl = {0, 0}, addr32 = {0, 0, 0, 0}, addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, addr = '\000' <repeats 15 times>}}, src_port = 0,
dst_port = 0, proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 0, sa_data = '\000' <repeats 13 times>}, sin = {sin_family = 0,
sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0,
sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}},
sin6_scope_id = 0}}, bind_address = 0x0, proto = 0 '\000'},
buf = 0xa595a0 <buf> "SIP/2.0 200 OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len = 485, new_uri = {s = 0x0, len = 0}, dst_uri = {s = 0x0, len = 0}, parsed_uri_ok = 0, parsed_uri = {
user = {s = 0x0, len = 0}, passwd = {s = 0x0, len = 0}, host = {s = 0x0, len = 0}, port = {s = 0x0, len = 0}, params = {s = 0x0, len = 0},
sip_params = {s = 0x0, len = 0}, headers = {s = 0x0, len = 0}, port_no = 0, proto = 0, type = ERROR_URI_T, flags = (unknown: 0), transport = {
s = 0x0, len = 0}, ttl = {s = 0x0, len = 0}, user_param = {s = 0x0, len = 0}, maddr = {s = 0x0, len = 0}, method = {s = 0x0, len = 0}, lr = {
s = 0x0, len = 0}, r2 = {s = 0x0, len = 0}, gr = {s = 0x0, len = 0}, transport_val = {s = 0x0, len = 0}, ttl_val = {s = 0x0, len = 0},
user_param_val = {s = 0x0, len = 0}, maddr_val = {s = 0x0, len = 0}, method_val = {s = 0x0, len = 0}, lr_val = {s = 0x0, len = 0}, r2_val = {
s = 0x0, len = 0}, gr_val = {s = 0x0, len = 0}}, parsed_orig_ruri_ok = 0, parsed_orig_ruri = {user = {s = 0x0, len = 0}, passwd = {s = 0x0,
len = 0}, host = {s = 0x0, len = 0}, port = {s = 0x0, len = 0}, params = {s = 0x0, len = 0}, sip_params = {s = 0x0, len = 0}, headers = {
s = 0x0, len = 0}, port_no = 0, proto = 0, type = ERROR_URI_T, flags = (unknown: 0), transport = {s = 0x0, len = 0}, ttl = {s = 0x0, len = 0},
user_param = {s = 0x0, len = 0}, maddr = {s = 0x0, len = 0}, method = {s = 0x0, len = 0}, lr = {s = 0x0, len = 0}, r2 = {s = 0x0, len = 0}, gr = {
s = 0x0, len = 0}, transport_val = {s = 0x0, len = 0}, ttl_val = {s = 0x0, len = 0}, user_param_val = {s = 0x0, len = 0}, maddr_val = {s = 0x0,
len = 0}, method_val = {s = 0x0, len = 0}, lr_val = {s = 0x0, len = 0}, r2_val = {s = 0x0, len = 0}, gr_val = {s = 0x0, len = 0}},
add_rm = 0x7ff6b355d910, body_lumps = 0x0, reply_lump = 0x0, add_to_branch_s = '\000' <repeats 57 times>, add_to_branch_len = 0, hash_index = 0,
msg_flags = 0, flags = 0, set_global_address = {s = 0x0, len = 0}, set_global_port = {s = 0x0, len = 0}, force_send_socket = 0x0, path_vec = {
s = 0x0, len = 0}, instance = {s = 0x0, len = 0}, reg_id = 0, ruid = {s = 0x0, len = 0}, location_ua = {s = 0x0, len = 0}, ldv = {flow = {
decoded = 0, rcv = {src_ip = {af = 0, len = 0, u = {addrl = {0, 0}, addr32 = {0, 0, 0, 0}, addr16 = {0, 0, 0, 0, 0, 0, 0, 0},
addr = '\000' <repeats 15 times>}}, dst_ip = {af = 0, len = 0, u = {addrl = {0, 0}, addr32 = {0, 0, 0, 0}, addr16 = {0, 0, 0, 0, 0, 0, 0,
0}, addr = '\000' <repeats 15 times>}}, src_port = 0, dst_port = 0, proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {
sa_family = 0, sa_data = '\000' <repeats 13 times>}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {
__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}},
bind_address = 0x0, proto = 0 '\000'}}}}
obuf = 0x7ffe78aa3f50
nbuf = 0x0
direction = 0
dialog = 0
__func__ = "th_msg_received"
#3 0x0000000000587656 in sr_event_exec (type=1, evp=0x7ffe78aa3f60) at core/events.c:211
ret = 0
i = 0
#4 0x000000000058aa74 in receive_msg (
buf=0xa595a0 <buf> "SIP/2.0 200 OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len=485, rcv_info=0x7ffe78aa4150) at core/receive.c:157
msg = 0x7ff6b35bce60
ctx = {rec_lev = -1900292352, run_flags = 32758, last_retcode = 1, jmp_env = {{__jmpbuf = {0, 0, -4294967296, -1, 0, 0, 5889493309647038041,
4517398388897088679}, __mask_was_saved = 0, __saved_mask = {__val = {0, 50195, 0, 1, 140696991361384, 50195, 3008780760, 6319390832,
140696991361384, 140730922844272, 4879653, 122, 4879789, 140697547463128, 140697547463128, 140730922844336}}}}}
bctx = 0x0
ret = 32766
stats_on = 0
tvb = {tv_sec = 0, tv_usec = 0}
tve = {tv_sec = 0, tv_usec = 1099511627775}
tz = {tz_minuteswest = 0, tz_dsttime = 0}
diff = 0
inb = {
s = 0xa595a0 <buf> "SIP/2.0 200 OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n", len = 485}
netinfo = {data = {s = 0x51bbaef6148d2659 <error: Cannot access memory at address 0x51bbaef6148d2659>, len = -2027813721}, rcv = 0x0, dst = 0x0}
keng = 0x0
evp = {data = 0x7ffe78aa3f50, rcv = 0x7ffe78aa4150, dst = 0x0}
errsipmsg = 0
__func__ = "receive_msg"
#5 0x00000000004af6b1 in udp_rcv_loop () at core/udp_server.c:554
len = 485
buf = "SIP/2.0 200 OK\r\nFrom: \"+XXXXXXXXXXX\" <sip:+XXXXXXXXXXX at 10.0.120.171>;tag=as2a229f1f\r\nTo: \"+1YYYYYYYYYYY\" <sip:+1YYYYYYYYYYY at 67.221.12.64>;tag=b6fefaafes\r\nCall-ID: 1acc23323a2c9d187927a6276fa49ebe at 10.0.120.171:5060\r\nCSeq: 102 CANCEL\r\nServer: Brekeke SIP Server rev.286.3\r\nRecord-Route: <sip:aaa.bbb.ccc.ddd;lr;ftag=as2a229f1f;did=2b8.c3c1;nat=yes;vsf=", 'A' <repeats 39 times>, "-;vst=AAAAABtUBFEDVwABAwwMXXkCDhcCUAUfBlEXVVE4ZWFmZTc5OUAxMC4xMjguMC4xNA-->\r\nContent-Length: 0\r\n\r\n\000\065\061\064\063\064\066\065\066\065\062\" <sip:+15143465652 at aaa.bbb.ccc.ddd>;tag=36DHD9eX6S4Xp\r\nCall-ID: 2a0cca3363b688be697749bc7fdadb86 at 10.0.109.150:5060\r\nCSeq: 102 INVITE\r\nContact: <sip:+15143465652 at aaa.bbb.ccc.ddd:5060;transport=udp>\r\nUser-Agent: DNL-Switch\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, REGISTER\r\nContent-Type: application/sdp\r\nContent-Length: 172\r\nTH: uch\r\n\r\nv=0\r\no=- 1014311547 1014311547 IN IP4 aaa.bbb.ccc.ddd\r\ns=DNL-SWITCH\r\nc=IN IP4 aaa.bbb.ccc.ddd\r\nt=0 0\r\nm=audio 36180 RTP/AVP 0 101\r\na=rtpmap:101 telephone-event/8000\r\na=ptime:20\r\n\000\070\060 RTP/AVP 0 101\r\na=rtpmap:101 telephone-event/8000\r\na=ptime:20\r\n\000\060\r\na=fmtp:101 0-15\r\na=ptime:20\r\n\000sSIP-GW-UserAgent 4613 1015 IN IP4 aaa.bbb.ccc.ddd\r\ns=SIP Call\r\nc=IN IP4 aaa.bbb.ccc.ddd\r\nt=0 0\r\nm=audio 18288 RTP/AVP 0 101\r\nc=IN IP4 aaa.bbb.ccc.ddd\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=ptime:20\r\n\000\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=ptime:20\r\n\000:20\r\n\000: 0\r\n\r\n\000+18557772026 at 10.0.102.166:5060>\r\nContent-Length: 0\r\n\r\n\000\062.214\r\nt=0 0\r\nm=audio 40504 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=ptime:20\r\n\000pmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=ptime:20\r\n", '\000' <repeats 63877 times>
tmp = 0x7ff69261039c "<"
from = 0x7ff6b35659d8
fromlen = 16
ri = {src_ip = {af = 2, len = 4, u = {addrl = {125628636483, 128853312352}, addr32 = {1074584899, 29, 4293472, 30}, addr16 = {56643, 16396, 29, 0,
33632, 65, 30, 0}, addr = "C\335\f@\035\000\000\000`\203A\000\036\000\000"}}, dst_ip = {af = 2, len = 4, u = {addrl = {234913802, 0},
addr32 = {234913802, 0, 0, 0}, addr16 = {32778, 3584, 0, 0, 0, 0, 0, 0}, addr = "\n\200\000\016", '\000' <repeats 11 times>}}, src_port = 5060,
dst_port = 5060, proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 2, sa_data = "\023\304C\335\f@\000\000\000\000\000\000\000"},
sin = {sin_family = 2, sin_port = 50195, sin_addr = {s_addr = 1074584899}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2,
sin6_port = 50195, sin6_flowinfo = 1074584899, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0,
0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, bind_address = 0x7ff6b34e54a8, proto = 1 '\001'}
evp = {data = 0x0, rcv = 0x0, dst = 0x0}
printbuf = "\001\200\255\373\377\377\377\377\240D\252x\376\177\000\000\240D\252x\376\177\000\000\240D\252x\376\177\000\000\240D\252x\035\000\000\000`\023P\263\366\177\000\000\037E\252x\376\177\000\000\240D\252x\376\177\000\000\037E\252x\376\177\000\000\234\003a\222\366\177\000\000`\203A\000\000\000\000\000\000H\252x\376\177", '\000' <repeats 18 times>, "\260B\252x\376\177\000\000\034\024U\000\000\000\000\000\000\000\377\377\377\377\377\377", '\000' <repeats 24 times>, "\377\377\377\377\035\000\000\000PEP\263\366\177", '\000' <repeats 18 times>, "\377\377\377\377\366\256\273Q\234\003a\222\366\177\000\000`\203A\000\000\000\000\000\000H\252x\376\177", '\000' <repeats 18 times>, "\060C\252x\376\177\000\000\034\024U\000\000\000\000\000 C\252x\376\177\000\000\231\224p\000\000\000\000\000\000\000\000\000\001\000\000\000\240\006\261\000\035\000\000\000\070\230\001\264\035\000\000\000XVP\263\366\177\000\000\272E\252Y\231\033f\265gRW\262\222\344\017ߠp\334fu\036\\\270\234\003a\222\366\177\000\000`\203A\000\000\000\000\000\000H\252x\376\177", '\000' <repeats 18 times>, "PC\252x\376\177\000\000\350\032U\000\000\000\000\000`\203A\000\000\000\000\000#\311ȳ\035\000\000\000\000D\252x\376\177\000\000\t\312L\000\000\000\000\000(VN\263\366\177\000\000h\350Y\263\366\177\000\000\000\004\000\000\000\000\000\000\020\020E\263\366\177\000\000\240D\252x\376\177\000\000\001\000\000\000\035\000\000\000`/w\000\000\000\000\000\377\377\377\377", '\000' <repeats 12 times>, "\035\000\000\000\256\250\334\036&H4B\000\000\000\000\200\000\000\000\000\000\000"
i = -1914504396
j = 32758
l = 29
__func__ = "udp_rcv_loop"
#6 0x00000000004246ac in main_loop () at main.c:1619
i = 28
pid = 0
si = 0x7ff6b34e54a8
si_desc = "udp receiver child=28 sock=10.128.0.14:5060 (aaa.bbb.ccc.ddd:5060)\000\020\000\000\000\000\330\065\213^\000\000\000\000`\203A\000\000\000\000\000\000H\252x\376\177", '\000' <repeats 18 times>, "@E\252x\376\177\000\000\026U`\000\000\000\000"
nrprocs = 48
woneinit = 1
__func__ = "main_loop"
#7 0x000000000042bd5c in main (argc=14, argv=0x7ffe78aa4808) at main.c:2638
cfg_stream = 0x262e010
c = -1
r = 0
tmp = 0x7ffe78aa72e6 ""
tmp_len = 2024425184
port = 32766
proto = 2024425280
options = 0x75b068 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
ret = -1
seed = 5751405
rfd = 4
debug_save = 0
debug_flag = 0
dont_fork_cnt = 2
n_lst = 0xff000000ff
p = 0x0
st = {st_dev = 2049, st_ino = 526460, st_nlink = 2, st_mode = 16895, st_uid = 105, st_gid = 107, __pad0 = 0, st_rdev = 0, st_size = 4096,
st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1542886086, tv_nsec = 491654505}, st_mtim = {tv_sec = 1542886085, tv_nsec = 707593588},
st_ctim = {tv_sec = 1542886089, tv_nsec = 723905628}, __glibc_reserved = {0, 0, 0}}
__func__ = "main"
```
It looks like `th_add_via_cookie` doesn't check if it's second parameter, `via`, is `NULL` and it segfaults.
Here's the link to the code for convenience.
https://github.com/kamailio/kamailio/blob/951df23f8ab9f4428e143949f1e580f76b4d8fc9/src/modules/topoh/th_msg.c#L938-L944
#### Log Messages
```
0(1) ALERT: <core> [main.c:738]: handle_sigs(): child process 60 exited by a signal 11
0(1) ALERT: <core> [main.c:741]: handle_sigs(): core was generated
0(1) INFO: <core> [main.c:764]: handle_sigs(): terminating due to SIGCHLD
1(32) INFO: <core> [main.c:819]: sig_usr(): signal 15 received
3(34) INFO: <core> [main.c:819]: sig_usr(): signal 15 received
2(33) INFO: <core> [main.c:819]: sig_usr(): signal 15 received
4(35) INFO: <core> [main.c:819]: sig_usr(): signal 15 received
52(83) INFO: <core> [main.c:819]: sig_usr(): signal 15 received
.....
0(1) INFO: <core> [core/sctp_core.c:53]: sctp_core_destroy(): SCTP API not initialized
```
#### SIP Traffic
[HOMER5-10.128.0.14-0e6a7c51199e94990b417c9ce8eafe799-11_22_2018 19_25_32.txt](https://github.com/kamailio/kamailio/files/2608987/HOMER5-10.128.0.14-0e6a7c51199e94990b417c9ce8eafe799-11_22_2018.19_25_32.txt)
### Possible Solutions
Enabling sanity checks for topoh module does not fix it.
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
```
version: kamailio 5.1.6 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 5.3.1
```
* **Operating System**:
```
Linux ************** 4.15.0-1015-gcp #15~16.04.1-Ubuntu SMP Thu Jul 26 20:37:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1735
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20181122/fa8a325a/attachment-0001.html>
More information about the sr-dev
mailing list