[sr-dev] [kamailio/kamailio] Kamailio crashes on NAPTR lookup (#1680)

Joonas Keskitalo notifications at github.com
Thu Oct 18 12:49:48 CEST 2018


### Description

Kamailio crashes when running `dns.lookup NAPTR <x>` in kamcmd. NAPTR can be resolved from nameservers using `dig` command on same server:

```
# dig NAPTR sip.example.com +short
102 50 "s" "SIP+D2T" "" _sip._tcp.sip.example.com.
100 50 "s" "SIP+D2U" "" _sip._udp.sip.example.com.
```
Here is what happens when kamcmd is used:
```
kamcmd> dns.lookup NAPTR sip.example.com
ERROR: read reply failed: Success (0)
```
All other lookups seems to work normally (A, SRV, etc...)

### Troubleshooting

#### Reproduction

This problem occurs every time I try to resolve any NAPTR record. It does not matter if the record exists or not in the nameserver. I have tried to use multiple nameservers but problem occurs on all of them.

#### Debugging Data

```
(gdb) bt full
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
No locals.
#1  0x00007fda60ad3032 in rpc_struct_add (s=0x556138f869c0, fmt=0x556137bc63c4 "s") at binrpc_run.c:1083
        ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7ffcfc0b4ed0, reg_save_area = 0x7ffcfc0b4de0}}
        err = 0
        avp = {name = {s = 0x556137bc63ac "rr_preference", len = 13}, type = 1, u = {strval = {
              s = 0x32 <error: Cannot access memory at address 0x32>, len = 0}, fval = 2.4703282292062327e-322, intval = 50, end = 50}}
        rs = 0x38f56c00
        __func__ = "rpc_struct_add"
#2  0x0000556137a30e43 in dns_cache_print_entry (rpc=0x7fda60d01640 <binrpc_callbacks>, ctx=0x7ffcfc0b5060, e=0x7fda5b48e1d8)
    at core/dns_cache.c:3885
        expires = 1445
        rr = 0x7fda5b48e230
        ip = {af = 32768, len = 0, u = {addrl = {32816, 512}, addr32 = {32816, 0, 512, 0}, addr16 = {32816, 0, 0, 0, 512, 0, 0, 0}, 
            addr = "0\200\000\000\000\000\000\000\000\002\000\000\000\000\000"}}
        now = 1080071524
        s = {s = 0x2300028660 <error: Cannot access memory at address 0x2300028660>, len = -66367552}
        i = 0
        n = 1
        th = 0x556138f54bb0
        rh = 0x556138f56c00
        sh = 0x556138f869c0
        ih = 0x7ffcfc0b4f90
        ah = 0x0
#3  0x0000556137a36ec8 in dns_cache_rpc_lookup (rpc=0x7fda60d01640 <binrpc_callbacks>, ctx=0x7ffcfc0b5060) at core/dns_cache.c:4712
        e = 0x7fda5b48e1d8
        name = {s = 0x556138f6e941 "sip.example.com", len = 17}
        type = {s = 0x556138f6e939 "NAPTR", len = 5}
        t = 35
        __func__ = "dns_cache_rpc_lookup"
#4  0x00007fda60ad094e in process_rpc_req (buf=0x556138f6e924 "\241\003({5\336`\221\vdns.lookup", size=47, bytes_needed=0x7ffcfc0b5224, 
    sh=0x7ffcfc0b51a0, saved_state=0x556138f7e928) at binrpc_run.c:678
        err = 0
        val = {name = {s = 0x100b8 <error: Cannot access memory at address 0x100b8>, len = 934961267}, type = 1, u = {strval = {
              s = 0x556138f6e92d "dns.lookup", len = 10}, fval = 4.6380934184454688e-310, intval = 955705645, end = 955705645}}
        rpc_e = 0x7fda636f51a0
        f_ctx = {in = {ctx = {tlen = 40, cookie = 2067127904, type = 0, flags = 1, offset = 40, in_struct = 0, in_array = 0}, 
            s = 0x556138f6e953 "", end = 0x556138f6e953 "", record_no = 2, in_struct = 0}, out = {pkt = {
              body = 0x556138f7e9b0 "\003\203cfg.add_group_inst", end = 0x556138f869b0 "", crt = 0x556138f7e9b2 "cfg.add_group_inst"}, 
            structs = {next = 0x556138f54bb0, prev = 0x556138f54bb0}}, send_h = 0x7ffcfc0b51a0, method = 0x556138f6e92d "dns.lookup", 
          gc = 0x0, replied = 0, err_code = 0, err_phrase = {s = 0x0, len = 0}}
        ctx = 0x7ffcfc0b5060
        __func__ = "process_rpc_req"
#5  0x00007fda60ac6f8a in handle_stream_read (s_c=0x556138f6e8f0, idx=-1) at io_listener.c:511
        bytes_free = 65535
        bytes_read = 47
        bytes_needed = 0
        bytes_processed = 28
        r = 0x556138f6e910
        sh = {fd = 7, type = 0, from = {sa_in = {s = {sa_family = 0, sa_data = "\000\000\002\000\000\000\001\000\000\000\000\000\000"}, 
              sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 2}, sin_zero = "\001\000\000\000\000\000\000"}, sin6 = {
                sin6_family = 0, sin6_port = 0, sin6_flowinfo = 2, sin6_addr = {__in6_u = {
                    __u6_addr8 = "\001", '\000' <repeats 14 times>, __u6_addr16 = {1, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {1, 0, 0, 
                      0}}}, sin6_scope_id = 0}}, sa_un = {sun_family = 0, 
              sun_path = "\000\000\002\000\000\000\001", '\000' <repeats 47 times>, "\001\000\000\000\000\000\000\000xZ\341Z\332\177", '\000' <repeats 18 times>, "@R\v\374\001\000\000\000xZ\341Z\332\177\000\000 at R\v\374\374\177"}}, from_len = 0}
        __func__ = "handle_stream_read"
#6  0x00007fda60ac881d in handle_io (fm=0x7fda637b2558, events=1, idx=-1) at io_listener.c:706
        ret = 1
        __func__ = "handle_io"
#7  0x00007fda60ac05ce in io_wait_loop_epoll (h=0x7fda60cf1340 <io_h>, t=10, repeat=0) at ../../core/io_wait.h:1065
        n = 1
        r = 0
        fm = 0x7fda637b2558
        revents = 1
        __func__ = "io_wait_loop_epoll"
#8  0x00007fda60ac42d5 in io_listen_loop (fd_no=1, cs_lst=0x556138f517f0) at io_listener.c:281
        max_fd_no = 292
        poll_err = 0x0
        poll_method = 2
        cs = 0x0
        type = 2
        __func__ = "io_listen_loop"
#9  0x00007fda60adf397 in mod_child (rank=0) at ctl.c:337
        pid = 0
        cs = 0x2525252525252525
        rpc_handler = 1
        __func__ = "mod_child"
#10 0x0000556137947c5b in init_mod_child (m=0x7fda63707cb0, rank=0) at core/sr_module.c:943
        __func__ = "init_mod_child"
#11 0x00005561379478e2 in init_mod_child (m=0x7fda63708310, rank=0) at core/sr_module.c:939
        __func__ = "init_mod_child"
#12 0x00005561379478e2 in init_mod_child (m=0x7fda63709e78, rank=0) at core/sr_module.c:939
        __func__ = "init_mod_child"
#13 0x00005561379478e2 in init_mod_child (m=0x7fda6370a2e0, rank=0) at core/sr_module.c:939
        __func__ = "init_mod_child"
#14 0x00005561379478e2 in init_mod_child (m=0x7fda6370b178, rank=0) at core/sr_module.c:939
        __func__ = "init_mod_child"
#15 0x00005561379478e2 in init_mod_child (m=0x7fda6370b888, rank=0) at core/sr_module.c:939
        __func__ = "init_mod_child"
#16 0x000055613794802b in init_child (rank=0) at core/sr_module.c:970
No locals.
#17 0x00005561377eeb91 in main_loop () at main.c:1701
        i = 8
        pid = 6785
        si = 0x0
        si_desc = "udp receiver child=7 sock=10.1.8.151:5060\000\060\000\332\177\000\000\070\217yc\332\177\000\000\001\000\000\000\f\b\000\000\000\000\000\000\000\000\000\000\370;G[\332\177\000\000\200X\v\374\001\000\000\000\310V\341Z\332\177\000\000\200X\v\374\374\177\000\000\"\341\245\067aU\000\000\200\016~7aU\000\000\320quc\332\177\000"
        nrprocs = 8
        woneinit = 1
        __func__ = "main_loop"
#18 0x00005561377f5cc7 in main (argc=3, argv=0x7ffcfc0b5bd8) at main.c:2638
        cfg_stream = 0x556138e8b010
        c = -1
        r = 0
        tmp = 0x7fda63fc92e7 "__vdso_getcpu"
        tmp_len = 32764
        port = -66364912
        proto = 32730
        options = 0x556137b507e0 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 220359506
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 0
        n_lst = 0x0
        p = 0x0
        st = {st_dev = 19, st_ino = 40752, st_nlink = 2, st_mode = 16832, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, 
          st_size = 40, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1538560621, tv_nsec = 412647637}, st_mtim = {
            tv_sec = 1539854582, tv_nsec = 44920563}, st_ctim = {tv_sec = 1539854582, tv_nsec = 44920563}, __glibc_reserved = {0, 0, 0}}
        __func__ = "main"
(gdb) info locals
cfg_stream = 0x556138e8b010
c = -1
r = 0
tmp = 0x7fda63fc92e7 "__vdso_getcpu"
tmp_len = 32764
port = -66364912
proto = 32730
options = 0x556137b507e0 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
ret = -1
seed = 220359506
rfd = 4
debug_save = 0
debug_flag = 0
dont_fork_cnt = 0
n_lst = 0x0
p = 0x0
st = {st_dev = 19, st_ino = 40752, st_nlink = 2, st_mode = 16832, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 40, 
  st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1538560621, tv_nsec = 412647637}, st_mtim = {tv_sec = 1539854582, 
    tv_nsec = 44920563}, st_ctim = {tv_sec = 1539854582, tv_nsec = 44920563}, __glibc_reserved = {0, 0, 0}}
__func__ = "main"
(gdb) list
101	in ../sysdeps/x86_64/strlen.S
```

#### Log Messages

<!--
Check the syslog file and if there are relevant log messages printed by Kamailio, add them next, or attach to issue, or provide a link to download them (e.g., to a pastebin site).
-->

```
Oct 18 10:37:11 sipfix1 kernel: [1393558.285356] kamailio[7264]: segfault at 32 ip 00007f57d79fb676 sp 00007ffdbb422d38 error 4 in libc-2
.24.so[7f57d797b000+195000]
Oct 18 10:37:11 sipfix1 /usr/local/sbin/kamailio[7273]: CRITICAL: <core> [core/pass_fd.c:277]: receive_fd(): EOF on 5
Oct 18 10:37:11 sipfix1 /usr/local/sbin/kamailio[7234]: ALERT: <core> [main.c:738]: handle_sigs(): child process 7264 exited by a signal 
11
Oct 18 10:37:11 sipfix1 /usr/local/sbin/kamailio[7234]: ALERT: <core> [main.c:741]: handle_sigs(): core was generated
Oct 18 10:37:11 sipfix1 /usr/local/sbin/kamailio[7234]: INFO: <core> [main.c:764]: handle_sigs(): terminating due to SIGCHLD
```

### Additional Information

  * **Kamailio Version** - output of `kamailio -v`

```

# kamailio -v
version: kamailio 5.1.5 (x86_64/linux) c2f0c8
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: c2f0c8 
compiled on 09:25:31 Oct  2 2018 with gcc 6.3.0
```

* **Operating System**:

<!--
Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...;
Kernel details (output of `uname -a`)
-->

```
# uname -a
Linux sip.example.com 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u3 (2018-08-19) x86_64 GNU/Linux
```


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1680
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20181018/bf376093/attachment.html>


More information about the sr-dev mailing list