[sr-dev] [kamailio/kamailio] Memory leak in sanity module 'proxy require' check (#1990)
Tijs Zwinkels - TinkerTank
notifications at github.com
Fri Jun 21 22:54:19 CEST 2019
We noticed one of our kamailio instances using increasing amounts of pkg memory.
This appears to be related to the sanity-check module.
sanity.c:655 - `if (msg->proxy_require->parsed == NULL)` then that header is parsed into `msg->proxy_require->parsed`. This buffer should be free'd in sanity.c:712, but this only happens if the sanity check is succesfull. If the sanity check fails (on line 701), then the buffer is never free'd.
We can reproduce the issue by repeatedly sending the following SIP packet to kamailio.
Please note that this 'Proxy-Require' header is invalid in our setup, and is most likely originally caused by an invalid configured phone.
SUBSCRIBE sip:phone_0 at example.com:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.102:5062;branch=z9hG4bK2104306013
From: "xxx" <sip:phone_0 at example.com>;tag=108111795
To: "xxx" <sip:phone_0 at example.com>
Call-ID: 3276145660 at 192.168.1.102
CSeq: 1 SUBSCRIBE
Contact: <sip:phone_0 at 192.168.1.102:5062>
User-Agent: Yealink SIP-T48G 18.104.22.168
### Possible Solutions
The code to free the buffer could be duplicated before the return on sanity.c:701.
However, it's not clear to me why the `msg->proxy_require->parsed` structure doesn't get properly free'd when msg is free'd, as most other fields in this struct seem to be destructed correctly.
For now, we disabled the proxy require check with:
modparam("sanity", "default_checks", 2535)
this mitigates the memory leak.
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
version: kamailio 5.2.2 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
compiled with gcc 5.3.1
Problem still present in current master.
* **Operating System**:
Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...;
Kernel details (output of `uname -a`)
Linux tijscmp01 4.4.0-145-generic #171-Ubuntu SMP Tue Mar 26 12:43:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the sr-dev