[sr-dev] [kamailio/kamailio] Memory leak in sanity module 'proxy require' check (#1990)

Tijs Zwinkels - TinkerTank notifications at github.com
Fri Jun 21 22:54:19 CEST 2019 

### Description

We noticed one of our kamailio instances using increasing amounts of pkg memory.

This appears to be related to the sanity-check module.
sanity.c:655 - `if (msg->proxy_require->parsed == NULL)` then that header is parsed into `msg->proxy_require->parsed`. This buffer should be free'd in sanity.c:712, but this only happens if the sanity check is succesfull. If the sanity check fails (on line 701), then the buffer is never free'd.

### Troubleshooting

#### Reproduction

We can reproduce the issue by repeatedly sending the following SIP packet to kamailio.
Please note that this 'Proxy-Require' header is invalid in our setup, and is most likely originally caused by an invalid configured phone.

```
SUBSCRIBE sip:phone_0 at example.com:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.102:5062;branch=z9hG4bK2104306013
From: "xxx" <sip:phone_0 at example.com>;tag=108111795
To: "xxx" <sip:phone_0 at example.com>
Call-ID: 3276145660 at 192.168.1.102
CSeq: 1 SUBSCRIBE
Contact: <sip:phone_0 at 192.168.1.102:5062>
Accept: application/x-as-feature-event+xml
Max-Forwards: 70
User-Agent: Yealink SIP-T48G 35.72.188.7
Proxy-Require: sip.example.com
Expires: 3630
Event: as-feature-event
Content-Length: 0
```

### Possible Solutions

The code to free the buffer could be duplicated before the return on sanity.c:701.

However, it's not clear to me why the `msg->proxy_require->parsed` structure doesn't get properly free'd when msg is free'd, as most other fields in this struct seem to be destructed correctly.

For now, we disabled the proxy require check with:
```
modparam("sanity", "default_checks", 2535)
```
this mitigates the memory leak.

### Additional Information

  * **Kamailio Version** - output of `kamailio -v`

```
version: kamailio 5.2.2 (x86_64/linux) 
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown 
compiled with gcc 5.3.1
```

Problem still present in current master.

* **Operating System**:

<!--
Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...;
Kernel details (output of `uname -a`)
-->

Ubuntu 16.04

```
Linux tijscmp01 4.4.0-145-generic #171-Ubuntu SMP Tue Mar 26 12:43:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
```


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1990
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20190621/af1715ca/attachment.html>

More information about the sr-dev mailing list