[sr-dev] [kamailio/kamailio] Kamailio 5.3.0 crashed when exec module tried to execute external program (#2165)

Konstantin notifications at github.com
Mon Dec 16 17:17:59 CET 2019 

I crashed it again on new binary.

```
[root at sip-proxy01 ecsp]# gdb ./sbin/kamailio --core=core.23544
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-115.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/ecsp/sbin/kamailio...Reading symbols from /usr/lib/debug/usr/ecsp/sbin/kamailio.debug...done.
done.
[New LWP 23544]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/ecsp/sbin/kamailio -f /usr/ecsp/etc/kamailio/ecsp.cfg -m 64 -M 8 -u kamail'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fa8e71d401b in run_failure_handlers (t=0x7fa8e01650f0, rpl=0xffffffffffffffff, code=408, extra_flags=32) at t_reply.c:1020
1020                    t->uas.request->flags = faked_req->flags;
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-23.el7.x86_64 glibc-2.17-292.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-37.el7_7.2.x86_64 libcom_err-1.42.9-16.el7.x86_64 libdb-5.3.21-25.el7.x86_64 libselinux-2.5-14.1.el7.x86_64 mongo-c-driver-1.9.4-1.0.el7.centos.x86_64 nss-softokn-freebl-3.44.0-5.el7.x86_64 openssl-libs-1.0.2k-19.el7.x86_64 pcre-8.32-17.el7.x86_64 zlib-1.2.7-18.el7.x86_64
(gdb) bt
#0  0x00007fa8e71d401b in run_failure_handlers (t=0x7fa8e01650f0, rpl=0xffffffffffffffff, code=408, extra_flags=32) at t_reply.c:1020
#1  0x00007fa8e71d78cf in t_should_relay_response (Trans=0x7fa8e01650f0, new_code=408, branch=0, should_store=0x7fffb8aee41c, should_relay=0x7fffb8aee420, cancel_data=0x7fffb8aee4d0,
    reply=0xffffffffffffffff) at t_reply.c:1390
#2  0x00007fa8e71dc67e in relay_reply (t=0x7fa8e01650f0, p_msg=0xffffffffffffffff, branch=0, msg_status=408, cancel_data=0x7fffb8aee4d0, do_put_on_wait=0) at t_reply.c:1821
#3  0x00007fa8e723cb80 in fake_reply (t=0x7fa8e01650f0, branch=0, code=408) at timer.c:294
#4  0x00007fa8e723d00d in final_response_handler (r_buf=0x7fa8e0165318, t=0x7fa8e01650f0) at timer.c:455
#5  0x00007fa8e723d0bc in retr_buf_handler (ticks=757073884, tl=0x7fa8e0165338, p=0x1f40) at timer.c:511
#6  0x00000000004bd284 in slow_timer_main () at core/timer.c:1104
#7  0x000000000042655f in main_loop () at main.c:1727
#8  0x000000000042e56a in main (argc=15, argv=0x7fffb8aeed18) at main.c:2802
(gdb) list
1015                            }
1016                            exec_post_script_cb(faked_req, FAILURE_CB_TYPE);
1017                    }
1018                    log_prefix_set(NULL);
1019                    /* update message flags, if changed in failure route */
1020                    t->uas.request->flags = faked_req->flags;
1021            }
1022
1023            /* restore original environment */
1024            faked_env( t, 0, 0);
(gdb) info locals
faked_req = 0x7fa8e01693d0
faked_req_len = 7264
shmem_msg = 0x7fa8e01667b0
on_failure = 1
keng = 0x0
__FUNCTION__ = "run_failure_handlers"
(gdb) p t
$1 = (struct cell *) 0x7fa8e01650f0
(gdb) p *t
$2 = {next_c = 0x534e4f4954504f00, prev_c = 0x4b62344768397a00, hash_index = 926102061, label = 825045297, flags = 12333, nr_of_outgoings = 0, fcount = 0, ref_count = {val = 0}, from = {s = 0x0,
    len = 0}, callid = {s = 0x0, len = 0}, cseq_n = {s = 0x0, len = 0}, to = {s = 0x0, len = 0}, method = {s = 0x0, len = 0}, tmcb_hl = {first = 0x0, reg_types = 0}, wait_timer = {next = 0x0,
    prev = 0x0, expire = 0, initial_timeout = 0, data = 0x0, f = 0x0, flags = 0, slow_idx = 0}, wait_start = 0, uas = {request = 0x0, end_request = 0x0, response = {rbtype = 0, flags = 0, t_active = 0,
      branch = 0, buffer_len = 0, buffer = 0x0, my_T = 0xc0c0c0c0, timer = {next = 0xabcdefed, prev = 0x0, expire = 0, initial_timeout = 0, data = 0x100, f = 0x0, flags = 14880, slow_idx = 0}, dst = {
        send_sock = 0x7fa8dfed6e00, to = {s = {sa_family = 31956, sa_data = "\366\346\250\177\000\000{e\200\000\000\000\000"}, sin = {sin_family = 31956, sin_port = 59126, sin_addr = {s_addr = 32680},
            sin_zero = "{e\200\000\000\000\000"}, sin6 = {sin6_family = 31956, sin6_port = 59126, sin6_flowinfo = 32680, sin6_addr = {__in6_u = {
                __u6_addr8 = "{e\200\000\000\000\000\000\320|\366\346\250\177\000", __u6_addr16 = {25979, 128, 0, 0, 31952, 59126, 32680, 0}, __u6_addr32 = {8414587, 0, 3874913488, 32680}}},
            sin6_scope_id = 271}}, id = 0, proto = -16 '\360', send_flags = {f = 61680, blst_imask = 0}}, retr_expire = 0, fr_expire = 0}, local_totag = {s = 0x0, len = 0}, cancel_reas = 0x0,
    status = 0}, uac = 0x0, async_backup = {backup_route = 0, backup_branch = 0, blind_uac = 0, ruri_new = 0}, fwded_totags = 0x0, uri_avps_from = 0x0, uri_avps_to = 0x0, user_avps_from = 0x0,
  user_avps_to = 0x0, domain_avps_from = 0x0, domain_avps_to = 0x0, xavps_list = 0x0, reply_mutex = {val = 0}, reply_locker_pid = {val = 0}, reply_rec_lock_level = 0, fr_timeout = 0,
  fr_inv_timeout = 0, rt_t1_timeout_ms = 0, rt_t2_timeout_ms = 0, end_of_life = 0, relayed_reply_branch = 0, on_failure = 0, on_branch_failure = 0, on_reply = 0, on_branch = 0, on_branch_delayed = 0,
  md5 = 0x7fa8e01652e8 "674189e128b010d9ec725cf0ba186019\377\377\377\377\377\377\377\377"}
(gdb) p *t->uas.request
Cannot access memory at address 0x0
(gdb) p faked_req
$3 = (struct sip_msg *) 0x7fa8e01693d0
(gdb) p *faked_req
$4 = {id = 0, pid = 23514, tval = {tv_sec = 1576512772, tv_usec = 855609}, fwd_send_flags = {f = 0, blst_imask = 0}, rpl_send_flags = {f = 0, blst_imask = 0}, first_line = {type = 1, flags = 1,
    len = 75, u = {request = {method = {
          s = 0x7fa8e0169ae8 "INVITE sip:18447757711 at mightyc.pr.mytcall.com:16060;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva."..., len = 6}, uri = {
          s = 0x7fa8e0169aef "sip:18447757711 at mightyc.pr.mytcall.com:16060;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightyc"..., len = 58}, version = {
          s = 0x7fa8e0169b2a "SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightycall.com at 192.168.158.139:43228;transport=UDP>\r\nTo: <sip:1844"..., len = 7}, method_value = 1}, reply = {version = {
          s = 0x7fa8e0169ae8 "INVITE sip:18447757711 at mightyc.pr.mytcall.com:16060;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva."..., len = 6}, status = {
          s = 0x7fa8e0169aef "sip:18447757711 at mightyc.pr.mytcall.com:16060;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightyc"..., len = 58}, reason = {
          s = 0x7fa8e0169b2a "SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightycall.com at 192.168.158.139:43228;transport=UDP>\r\nTo: <sip:1844"..., len = 7}, statuscode = 1}}}, via1 = 0x7fa8e016a058, via2 = 0x0, headers = 0x7fa8e016a018, last_header = 0x7fa8e016a970, parsed_flag = 18446744073709551615,
  h_via1 = 0x7fa8e016a018, h_via2 = 0x0, callid = 0x7fa8e016a660, to = 0x7fa8e016a200, cseq = 0x7fa8e016a6a0, from = 0x7fa8e016a418, contact = 0x7fa8e016a1c0, maxforwards = 0x7fa8e016a180, route = 0x0,
  record_route = 0x0, content_type = 0x7fa8e016a750, content_length = 0x7fa8e016a970, authorization = 0x0, expires = 0x0, proxy_auth = 0x7fa8e016a790, supported = 0x7fa8e016a8b0, require = 0x0,
  proxy_require = 0x0, unsupported = 0x0, allow = 0x7fa8e016a710, event = 0x0, accept = 0x0, accept_language = 0x0, organization = 0x0, priority = 0x0, subject = 0x0, user_agent = 0x7fa8e016a8f0,
  server = 0x0, content_disposition = 0x0, diversion = 0x0, rpid = 0x0, refer_to = 0x0, session_expires = 0x0, min_se = 0x0, sipifmatch = 0x0, subscription_state = 0x0, date = 0x0, identity = 0x0,
  identity_info = 0x0, pai = 0x0, ppi = 0x0, path = 0x0, privacy = 0x0, min_expires = 0x0, body = 0x0,
  eoh = 0x7fa8e0169f1c "\r\nv=0\r\no=Z 0 0 IN IP4 192.168.158.139\r\ns=Z\r\nc=IN IP4 192.168.158.139\r\nt=0 0\r\nm=audio 8000 RTP/AVP 3 110 8 0 97 101\r\na=rtpmap:110 speex/8000\r\na=rtpmap:97 iLBC/8000\r\na=fmtp:97 mode=30\r\na=rtpmap:101 tele"...,
  unparsed = 0x7fa8e0169f1c "\r\nv=0\r\no=Z 0 0 IN IP4 192.168.158.139\r\ns=Z\r\nc=IN IP4 192.168.158.139\r\nt=0 0\r\nm=audio 8000 RTP/AVP 3 110 8 0 97 101\r\na=rtpmap:110 speex/8000\r\na=rtpmap:97 iLBC/8000\r\na=fmtp:97 mode=30\r\na=rtpmap:101 tele"..., rcv = {src_ip = {af = 2, len = 4, u = {addrl = {2190086405, 140736291857920}, addr32 = {2190086405, 0, 3098469888, 32767}, addr16 = {4357, 33418, 0,
          0, 58880, 47278, 32767, 0}, addr = "\005\021\212\202\000\000\000\000\000殸\377\177\000"}}, dst_ip = {af = 2, len = 4, u = {addrl = {2374635781, 0}, addr32 = {2374635781, 0, 0, 0}, addr16 = {
          4357, 36234, 0, 0, 0, 0, 0, 0}, addr = "\005\021\212\215", '\000' <repeats 11 times>}}, src_port = 43228, dst_port = 16060, proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {
        sa_family = 2, sa_data = "\250\334\005\021\212\202\000\000\000\000\000\000\000"}, sin = {sin_family = 2, sin_port = 56488, sin_addr = {s_addr = 2190086405},
        sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 56488, sin6_flowinfo = 2190086405, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>,
            __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, bind_address = 0x7fa8eb16cb58, proto = 1 '\001'},
  buf = 0x7fa8e0169ae8 "INVITE sip:18447757711 at mightyc.pr.mytcall.com:16060;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva."..., len = 1323, new_uri = {s = 0x0, len = 0}, dst_uri = {s = 0x7fa8eb210e58 "sip:94.72.41.53:5167", len = 20}, parsed_uri_ok = 0, parsed_uri = {user = {
      s = 0x7fa8e0169af3 "18447757711 at mightyc.pr.mytcall.com:16060;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightycall."..., len = 11}, passwd = {s = 0x0, len = 0}, host = {
      s = 0x7fa8e0169aff "mightyc.pr.mytcall.com:16060;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightycall.com at 192.168."..., len = 22}, port = {
      s = 0x7fa8e0169b16 "16060;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightycall.com at 192.168.158.139:43228;transport"..., len = 5}, params = {
      s = 0x7fa8e0169b1c "transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightycall.com at 192.168.158.139:43228;transport=UDP>\r"..., len = 13}, sip_params = {s = 0xa826f4 <buf.6964+52> "", len = 13}, headers = {s = 0x0, len = 0}, port_no = 16060, proto = 1, type = SIP_URI_T, flags = (unknown: 0),
    transport = {
      s = 0x7fa8e0169b1c "transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightycall.com at 192.168.158.139:43228;transport=UDP>\r"..., len = 13}, ttl = {s = 0x0, len = 0}, user_param = {s = 0x0, len = 0}, maddr = {s = 0x0, len = 0}, method = {s = 0x0, len = 0}, lr = {s = 0x0, len = 0}, r2 = {
      s = 0x0, len = 0}, gr = {s = 0x0, len = 0}, transport_val = {
      s = 0x7fa8e0169b26 "UDP SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.158.139:43228;branch=z9hG4bK-524287-1---e4184c5f8f7432bd\r\nMax-Forwards: 69\r\nContact: <sip:i.gurieva.mightycall.com at 192.168.158.139:43228;transport=UDP>\r\nTo: <sip:"..., len = 3}, ttl_val = {s = 0x0, len = 0}, user_param_val = {s = 0x0, len = 0}, maddr_val = {s = 0x0, len = 0}, method_val = {s = 0x0, len = 0}, lr_val = {s = 0x0,
      len = 0}, r2_val = {s = 0x0, len = 0}, gr_val = {s = 0x0, len = 0}}, parsed_orig_ruri_ok = 0, parsed_orig_ruri = {user = {s = 0x0, len = 0}, passwd = {s = 0x0, len = 0}, host = {s = 0x0,
      len = 0}, port = {s = 0x0, len = 0}, params = {s = 0x0, len = 0}, sip_params = {s = 0x0, len = 0}, headers = {s = 0x0, len = 0}, port_no = 0, proto = 0, type = ERROR_URI_T, flags = (unknown: 0),
    transport = {s = 0x0, len = 0}, ttl = {s = 0x0, len = 0}, user_param = {s = 0x0, len = 0}, maddr = {s = 0x0, len = 0}, method = {s = 0x0, len = 0}, lr = {s = 0x0, len = 0}, r2 = {s = 0x0, len = 0},
    gr = {s = 0x0, len = 0}, transport_val = {s = 0x0, len = 0}, ttl_val = {s = 0x0, len = 0}, user_param_val = {s = 0x0, len = 0}, maddr_val = {s = 0x0, len = 0}, method_val = {s = 0x0, len = 0},
    lr_val = {s = 0x0, len = 0}, r2_val = {s = 0x0, len = 0}, gr_val = {s = 0x0, len = 0}}, add_rm = 0x7fa8e016a9b0, body_lumps = 0x0, reply_lump = 0x0, add_to_branch_s = '\000' <repeats 57 times>,
  add_to_branch_len = 0, hash_index = 43574, msg_flags = 262321, flags = 3, xflags = {0, 0}, set_global_address = {s = 0x0, len = 0}, set_global_port = {s = 0x0, len = 0}, force_send_socket = 0x0,
  path_vec = {s = 0x0, len = 0}, instance = {s = 0x0, len = 0}, reg_id = 0, ruid = {s = 0x0, len = 0}, location_ua = {s = 0x0, len = 0}, otcpid = 0, ldv = {flow = {decoded = 0, rcv = {src_ip = {af = 0,
          len = 0, u = {addrl = {0, 0}, addr32 = {0, 0, 0, 0}, addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, addr = '\000' <repeats 15 times>}}, dst_ip = {af = 0, len = 0, u = {addrl = {0, 0}, addr32 = {0, 0, 0,
              0}, addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, addr = '\000' <repeats 15 times>}}, src_port = 0, dst_port = 0, proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 0,
            sa_data = '\000' <repeats 13 times>}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0,
            sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}},
        bind_address = 0x0, proto = 0 '\000'}}}}
(gdb)
```


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2165#issuecomment-566131204
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20191216/2e39b4cc/attachment-0001.html>

More information about the sr-dev mailing list