[sr-dev] [kamailio/kamailio] dispatcher algorithm 11 with congestion control memory corruption problem (#1649)

[Julien Chavanton]

### Description

Segfault , suspected cause, writing out of bound of an array

### Troubleshooting

In progress

#### Reproduction

Hard

#### Debugging Data

```
/* code reference */
typedef struct _ds_set {
   int id;           /*!< id of dst set */
   int nr;           /*!< number of items in dst set */
   int last;         /*!< last used item in dst set (round robin) */
   int wlast;        /*!< last used item in dst set (by weight) */
   int rwlast;       /*!< last used item in dst set (by relative weight) */
   ds_dest_t *dlist;
   unsigned int wlist[100];
   unsigned int rwlist[100];
   struct _ds_set *next[2];
   int longer;
   gen_lock_t lock;
} ds_set_t;


Here we can see that next is having invalid value (in fact it should have been 0/NULL in this case) : 20000000220000000220

2964>->-->--ds_ping_set(node->next[i]);
(gdb) bt
#0  0x00007f3b1cfde6c7 in ds_ping_set (node=0x200000002) at dispatch.c:2964
#1  0x00007f3b1cfde6d3 in ds_ping_set (node=0x7f3a99a09fc8) at dispatch.c:2964
#2  0x00007f3b1cfde6d3 in ds_ping_set (node=0x7f3a99a09828) at dispatch.c:2964
#3  0x00007f3b1cfdf9ad in ds_check_timer (ticks=9987101, param=0x0) at dispatch.c:3022
#4  0x00005644376a3652 in sr_wtimer_exec (ticks=9987101, param=0x0) at core/timer_proc.c:390
#5  0x00005644376a276d in fork_sync_timer (child_id=-1, desc=0x5644378904c1 "secondary timer", make_sock=1, f=0x5644376a330c <sr_wtimer_exec>, param=0x0, interval=1000) at core/timer_proc.c:224
#6  0x00005644376a39ca in sr_wtimer_start () at core/timer_proc.c:416
#7  0x00005644374d2d59 in main_loop () at main.c:1702
#8  0x00005644374da171 in main (argc=12, argv=0x7ffe7c214ac8) at main.c:2650
(gdb) p (ds_set_t) *0x7f3a99a09828
$1 = {id = 2, nr = 2, last = 0, wlast = 0, rwlast = 0, dlist = 0x7f3a99a0aab8, wlist = {0 <repeats 100 times>}, rwlist = {0 <repeats 100 times>}, next = {0x7f3a99a09fc8, 0x0}, longer = 0, lock = {val = 0}}
(gdb) p (ds_set_t) *0x0x7f3a99a09fc8
Invalid number "0x0x7f3a99a09fc8".
(gdb) p (ds_set_t) *0x7f3a99a09fc8
$2 = {id = 1, nr = 3, last = 0, wlast = 0, rwlast = 0, dlist = 0x7f3a99a0a7f8, wlist = {1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1,~
    1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1}, rwlist = {1, 1, 2, 2, 1, 0, 1, 0, 2, 2, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 2, 0, 1, 2, 1, 0, 0, 0, 0, 2, 1, 0, 2, 1, 2, 1, 1, 0, 2, 1, 2, 2, 2, 0, 0,~
    2, 0, 2, 2, 0, 2, 2, 0, 1, 2, 1, 1, 2, 1, 1, 0, 1, 1, 0, 1, 0, 2, 2, 2, 2, 2, 0, 0, 2, 0, 1, 0, 2, 1, 1, 2, 0, 2, 1, 2, 1, 1, 0, 2, 1, 2, 2, 1, 2, 1, 1, 0}, next = {0x200000002, 0x200000002}, longer = 2, lock = {val = 0}}
(gdb)
```


### Possible Solutions

Further analysis of the relevant source code 
around  dp_init_relative_weights()
and the way it was reused with congestion control.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1649
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20180921/56256fa0/attachment.html>