[sr-dev] [kamailio/kamailio] dispatcher algorithm 11 with congestion control memory corruption problem (#1649)

Julien Chavanton notifications at github.com
Fri Sep 21 21:12:01 CEST 2018 

quite sure I found it !

```
/**
 * Initialize the relative weight distribution for a destination set
 * - fill the array of 0..99 elements where to keep the index of the
 *   destination address to be used. The Nth call will use
 *   the address with the index at possition N%100
 */
int dp_init_relative_weights(ds_set_t *dset)
{
   int j;
   int k;
   int t;

   if(dset == NULL || dset->dlist == NULL)
      return -1;

   lock_get(&dset->lock);
   int rw_sum = 0;
   /* find the sum of relative weights*/
   for(j = 0; j < dset->nr; j++) { // READING THE FLAG ONCE
      if(ds_skip_dst(dset->dlist[j].flags))
         continue;
      rw_sum += dset->dlist[j].attrs.rweight;
   }

   if(rw_sum == 0) {
      lock_release(&dset->lock);
      return 0;
   }

   /* fill the array based on the relative weight of each destination */
   t = 0;
   for(j = 0; j < dset->nr; j++) {
      if(ds_skip_dst(dset->dlist[j].flags)) // READING THE FLAG AGAIN, SEGFAULT IF THEY CHANGED !
         continue;

      int current_slice =
            dset->dlist[j].attrs.rweight * 100 / rw_sum; //truncate here;
      LM_DBG("rw_sum[%d][%d][%d]\n",j, rw_sum, current_slice);
      for(k = 0; k < current_slice; k++) {
         dset->rwlist[t] = (unsigned int)j;
         t++;
      }
   }

   /* if the array was not completely filled (i.e., the sum of rweights is
    * less than 100 due to truncated), then use last address to fill the rest */
   unsigned int last_insert =                                                                                                                                                                                                                                                      
         t > 0 ? dset->rwlist[t - 1] : (unsigned int)(dset->nr - 1);
   for(j = t; j < 100; j++)
      dset->rwlist[j] = last_insert;

   /* shuffle the content of the array in order to mix the selection
    * of the addresses (e.g., if first address has weight=20, avoid
    * sending first 20 calls to it, but ensure that within a 100 calls,
    * 20 go to first address */
   shuffle_uint100array(dset->rwlist);
   lock_release(&dset->lock);
   return 0;
}
```


```
rw_sum[0][96][50]
rw_sum[1][96][50]
rw_sum[2][96][48]
redistributed array
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|
fill the truncate t[148] with[2]
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|1|
shuffled array
1|0|1|1|0|0|0|1|1|1|1|1|1|1|0|1|1|0|1|0|0|1|0|0|0|0|0|0|1|1|1|1|1|1|1|0|0|1|1|0|0|1|1|0|0|1|0|0|0|1|1|0|1|0|0|0|1|1|0|0|1|0|0|1|0|1|0|1|0|0|1|0|0|1|0|1|0|0|1|0|0|1|0|1|0|1|1|1|1|1|0|0|1|0|1|1|1|0|0|0|
*** stack smashing detected ***: ./bin/shuffle terminated
Aborted
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1649#issuecomment-423642232
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20180921/5988304f/attachment-0001.html>

More information about the sr-dev mailing list