[sr-dev] [kamailio/kamailio] Segmentation fault on tm:t_should_relay_response (#1875)
Fernando S. Santos
notifications at github.com
Fri Mar 1 06:31:55 CET 2019
Hello @miconda , i think this patch introduced a new bug on tmx module.
Now i'm getting a segfault on tmx.so:
### Log
```
[345284.567219] kamailio[88343]: segfault at 1f4 ip 00007fa4b771f934 sp 00007ffd06a1e710 error 4 in tmx.so[7fa4b770c000+1d000]
[345332.406311] kamailio[88635]: segfault at 1f4 ip 00007fcb136e0934 sp 00007ffeda371e60 error 4 in tmx.so[7fcb136cd000+1d000]
[345488.107701] kamailio[88940]: segfault at 1f4 ip 00007f2fffba9934 sp 00007fff2bf8b7f0 error 4 in tmx.so[7f2fffb96000+1d000]
[345517.133371] kamailio[89337]: segfault at 244 ip 00007f7ae3d19934 sp 00007fff6f699350 error 4 in tmx.so[7f7ae3d06000+1d000]
[345546.632373] kamailio[89602]: segfault at 1f4 ip 00007f02d6019934 sp 00007ffe5d33ac50 error 4 in tmx.so[7f02d6006000+1d000]
[345568.432423] kamailio[89742]: segfault at 1f4 ip 00007f4e5094a934 sp 00007fffd5915930 error 4 in tmx.so[7f4e50937000+1d000]
```
###GDB info
```
(gdb) frame 0
#0 0x00007f4e5094a934 in pv_get_tm_reply_code (msg=0x7f4e2cd14cb8, param=0x7f4e55a61328, res=0x7fffd5915aa0) at t_var.c:528
528 code = t->uac[branch].last_received;
(gdb) info locals
t = 0x7f4e2cd0d928
code = 32590
branch = 0
__FUNCTION__ = "pv_get_tm_reply_code"
(gdb) list
523 if ( (branch=_tmx_tmb.t_get_picked_branch())<0 ) {
524 LM_CRIT("no picked branch (%d) for a final response"
525 " in MODE_ONFAILURE\n", branch);
526 code = 0;
527 } else {
528 code = t->uac[branch].last_received;
529 }
530 break;
531 default:
532 LM_INFO("unsupported route_type %d - code set to 0\n",
(gdb) bt
#0 0x00007f4e5094a934 in pv_get_tm_reply_code (msg=0x7f4e2cd14cb8, param=0x7f4e55a61328, res=0x7fffd5915aa0) at t_var.c:528
#1 0x00000000005d0874 in pv_get_spec_value (msg=0x7f4e2cd14cb8, sp=0x7f4e55a61310, value=0x7fffd5915aa0) at core/pvapi.c:1380
#2 0x0000000000582062 in lval_pvar_assign (h=0x7fffd5916340, msg=0x7f4e2cd14cb8, lv=0x7f4e55a61098, rv=0x7f4e55a61308) at core/lvalue.c:335
#3 0x0000000000582d91 in lval_assign (h=0x7fffd5916340, msg=0x7f4e2cd14cb8, lv=0x7f4e55a61098, rve=0x7f4e55a61300) at core/lvalue.c:400
#4 0x000000000059647d in do_action (h=0x7fffd5916340, a=0x7f4e55a61a30, msg=0x7f4e2cd14cb8) at core/action.c:1443
#5 0x0000000000597f6e in run_actions (h=0x7fffd5916340, a=0x7f4e55a60d68, msg=0x7f4e2cd14cb8) at core/action.c:1564
#6 0x0000000000598683 in run_top_route (a=0x7f4e55a60d68, msg=0x7f4e2cd14cb8, c=0x0) at core/action.c:1646
#7 0x00007f4e50bb877f in run_failure_handlers (t=0x7f4e2cd0d928, rpl=0xffffffffffffffff, code=408, extra_flags=96) at t_reply.c:1002
#8 0x00007f4e50bbbc55 in t_should_relay_response (Trans=0x7f4e2cd0d928, new_code=408, branch=0, should_store=0x7fffd59166fc, should_relay=0x7fffd5916700, cancel_data=0x7fffd59167b0, reply=0xffffffffffffffff) at t_reply.c:1376
#9 0x00007f4e50bbef0b in relay_reply (t=0x7f4e2cd0d928, p_msg=0xffffffffffffffff, branch=0, msg_status=408, cancel_data=0x7fffd59167b0, do_put_on_wait=0) at t_reply.c:1802
#10 0x00007f4e50c20b5b in fake_reply (t=0x7f4e2cd0d928, branch=0, code=408) at timer.c:340
#11 0x00007f4e50c20fe8 in final_response_handler (r_buf=0x7f4e2cd0db50, t=0x7f4e2cd0d928) at timer.c:506
#12 0x00007f4e50c21097 in retr_buf_handler (ticks=262070135, tl=0x7f4e2cd0db70, p=0x3e8) at timer.c:562
#13 0x00000000004a0134 in timer_list_expire (t=262070135, h=0x7f4e2c741690, slow_l=0x7f4e2c7418c8, slow_mark=0) at core/timer.c:874
#14 0x00000000004a0595 in timer_handler () at core/timer.c:939
#15 0x00000000004a0a3f in timer_main () at core/timer.c:978
#16 0x0000000000425416 in main_loop () at main.c:1693
#17 0x000000000042c078 in main (argc=9, argv=0x7fffd5916e18) at main.c:2645
(gdb) bt full
#0 0x00007f4e5094a934 in pv_get_tm_reply_code (msg=0x7f4e2cd14cb8, param=0x7f4e55a61328, res=0x7fffd5915aa0) at t_var.c:528
t = 0x7f4e2cd0d928
code = 32590
branch = 0
__FUNCTION__ = "pv_get_tm_reply_code"
#1 0x00000000005d0874 in pv_get_spec_value (msg=0x7f4e2cd14cb8, sp=0x7f4e55a61310, value=0x7fffd5915aa0) at core/pvapi.c:1380
ret = 0
__FUNCTION__ = "pv_get_spec_value"
#2 0x0000000000582062 in lval_pvar_assign (h=0x7fffd5916340, msg=0x7f4e2cd14cb8, lv=0x7f4e55a61098, rv=0x7f4e55a61308) at core/lvalue.c:335
pvar = 0x7f4e55a60fb8
pval = {rs = {s = 0x0, len = 0}, ri = 0, flags = 0}
r_avp = 0x7fffd5916178
avp_val = {n = 631, s = {s = 0x277 <Address 0x277 out of bounds>, len = 1490070754}, re = 0x277}
ret = 0
v = 110
destroy_pval = 0
__FUNCTION__ = "lval_pvar_assign"
#3 0x0000000000582d91 in lval_assign (h=0x7fffd5916340, msg=0x7f4e2cd14cb8, lv=0x7f4e55a61098, rve=0x7f4e55a61300) at core/lvalue.c:400
rv = 0x7f4e55a61308
ret = 0
__FUNCTION__ = "lval_assign"
#4 0x000000000059647d in do_action (h=0x7fffd5916340, a=0x7f4e55a61a30, msg=0x7f4e2cd14cb8) at core/action.c:1443
ret = -5
v = -711892832
dst = {send_sock = 0x3, to = {s = {sa_family = 3328, sa_data = "\261Ĥug\032\001\000\000\000\000\000\000"}, sin = {sin_family = 3328, sin_port = 50353, sin_addr = {s_addr = 442987940}, sin_zero = "\001\000\000\000\000\000\000"}, sin6 = {sin6_family = 3328,
sin6_port = 50353, sin6_flowinfo = 442987940, sin6_addr = {__in6_u = {__u6_addr8 = "\001\000\000\000\000\000\000\000\314\025\227,N\177\000", __u6_addr16 = {1, 0, 0, 0, 5580, 11415, 32590, 0}, __u6_addr32 = {1, 0, 748099020, 32590}}}, sin6_scope_id = 0}},
id = -53100608, proto = -112 '\220', send_flags = {f = 54673, blst_imask = 0}}
tmp = 0x130053c9b5 <Address 0x130053c9b5 out of bounds>
new_uri = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>
end = 0x7c7213 "INFO"
crt = 0x7fffd5916210 ""
cmd = 0x7f4e2c9715b8
len = 0
user = 0
uri = {user = {s = 0x0, len = -1}, passwd = {s = 0x7f4e58cdb14d <_IO_vfprintf_internal+19661> "\200\275\360\372\377\377", len = 4}, host = {s = 0x0, len = 1493518176}, port = {s = 0x278f35b100000002 <Address 0x278f35b100000002 out of bounds>, len = 0}, params = {
s = 0x7f4e2c4a44e8 "%s: %s%s(): rtp proxy <%s> found, support for it %senabled\n", len = 11}, sip_params = {s = 0x72 <Address 0x72 out of bounds>, len = 3440}, headers = {s = 0x7f4e2c4a4523 "", len = 2}, port_no = 28453, proto = 0, type = ERROR_URI_T,
flags = (URI_USER_NORMALIZE | URI_SIP_USER_PHONE | unknown: 1288637520), transport = {s = 0x29a4658 "", len = 44632544}, ttl = {s = 0x0, len = 43664984}, user_param = {s = 0xfffffffe00000280 <Address 0xfffffffe00000280 out of bounds>, len = 0}, maddr = {
s = 0x80002a6ea061 <Address 0x80002a6ea061 out of bounds>, len = 0}, method = {s = 0x3000000010 <Address 0x3000000010 out of bounds>, len = -711891552}, lr = {s = 0x7fffd59164e0 "\023r|", len = -711892544}, r2 = {s = 0x2ac3b80 "\a", len = 1434729520}, gr = {
s = 0x7fffd5916000 "\240\071\254\002", len = 2}, transport_val = {s = 0x1 <Address 0x1 out of bounds>, len = 748099020}, ttl_val = {s = 0x7fffd5915f10 "#EJ,N\177", len = 1}, user_param_val = {s = 0x1d5916010 <Address 0x1d5916010 out of bounds>,
len = 748099020}, maddr_val = {s = 0x7fffd5916010 "@a\221\325\377\177", len = 1341679493}, method_val = {s = 0x602a92e10 <Address 0x602a92e10 out of bounds>, len = 748099020}, lr_val = {s = 0x2ac39a0 "\001", len = 1490575056}, r2_val = {
s = 0x7fffd5916140 "`a\221\325\377\177", len = 1341727119}, gr_val = {s = 0x0, len = 44710301}}
next_hop = {user = {s = 0x7fff00000000 <Address 0x7fff00000000 out of bounds>, len = 0}, passwd = {s = 0x7fffd5916247 "", len = 0}, host = {s = 0x7fffd5915e70 " ", len = 1489875277}, port = {s = 0x3000000018 <Address 0x3000000018 out of bounds>,
len = -711891952}, params = {s = 0x7fff00000000 <Address 0x7fff00000000 out of bounds>, len = -5}, sip_params = {s = 0xa00000000 <Address 0xa00000000 out of bounds>, len = 1490071084}, headers = {s = 0x8 <Address 0x8 out of bounds>, len = 0}, port_no = 0,
proto = 0, type = 32590, flags = (URI_USER_NORMALIZE | URI_SIP_USER_PHONE | unknown: 743064856), transport = {s = 0x7fffd59163d0 "", len = 1493503968}, ttl = {s = 0x7fffd59164c8 "x\360\320,N\177", len = 743064808}, user_param = {
s = 0x2a909e0 "\270G\005YN\177", len = 1489855931}, maddr = {s = 0x7f4e58cdb14d <_IO_vfprintf_internal+19661> "\200\275\360\372\377\377", len = 0}, method = {s = 0x7f4e2c49c885 "%d:", len = 11}, lr = {
s = 0x7f4e00000002 <Address 0x7f4e00000002 out of bounds>, len = 0}, r2 = {s = 0x7f4e58e16532 "%d]", len = 11}, gr = {s = 0x3000000007 <Address 0x3000000007 out of bounds>, len = 3440}, transport_val = {s = 0x7fffd5915f50 "\200\002", len = -711893232},
ttl_val = {s = 0xb0000000a <Address 0xb0000000a out of bounds>, len = -711893276}, user_param_val = {s = 0x5c00000000 <Address 0x5c00000000 out of bounds>, len = 0}, maddr_val = {s = 0x0, len = 0}, method_val = {
s = 0x3000000020 <Address 0x3000000020 out of bounds>, len = 0}, lr_val = {s = 0x7f4e58cdb14d <_IO_vfprintf_internal+19661> "\200\275\360\372\377\377", len = 0}, r2_val = {s = 0x3000000000 <Address 0x3000000000 out of bounds>, len = 0}, gr_val = {
s = 0x7f4e00000000 <Address 0x7f4e00000000 out of bounds>, len = 0}}
u = 0xb26f10 <ut_buf_int2str>
port = 0
dst_host = 0x7c2e00 <__FUNCTION__.6168>
i = 15
flags = 32590
avp = 0x7fffd59162c0
st = {flags = 743055302, id = 32590, name = {n = -1, s = {s = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>, len = 0}, re = 0xffffffffffffffff}, avp = 0x7}
sct = 0x7fffd5916140
sjt = 0x7f4e50019820
rve = 0x20000000
mct = 0x62c6fa6d0
rv = 0x7f4e58cd65bb <_IO_vfprintf_internal+315>
rv1 = 0x4000000
c1 = {cache_type = 3583075336, val_type = 32767, c = {avp_val = {n = 1491166516, s = {s = 0x7f4e58e16534 "]", len = -711892240}, re = 0x7f4e58e16534}, pval = {rs = {s = 0x7f4e58e16534 "]", len = -711892240}, ri = 1493503968, flags = 32590}},
i2s = "\bc\221\325\377\177\000\000\061e\341XN\177\000\000\340\t\251\002\000"}
s = {s = 0x1 <Address 0x1 out of bounds>, len = 2}
srevp = {0x0, 0xffffffffffffffff}
evp = {data = 0x0, rcv = 0x0, dst = 0x0}
mod_f_params = {{type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {
type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {
number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0,
string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}}
__FUNCTION__ = "do_action"
#5 0x0000000000597f6e in run_actions (h=0x7fffd5916340, a=0x7f4e55a60d68, msg=0x7f4e2cd14cb8) at core/action.c:1564
t = 0x7f4e55a61a30
ret = 1
ms = 4820621
__FUNCTION__ = "run_actions"
#6 0x0000000000598683 in run_top_route (a=0x7f4e55a60d68, msg=0x7f4e2cd14cb8, c=0x0) at core/action.c:1646
ctx = {rec_lev = 1, run_flags = 0, last_retcode = 1, jmp_env = {{__jmpbuf = {139974474751696, -8436678796762393242, 8155667, 90, 536870912, 67108864, -8436678796800141978, 8436736086254966118}, __mask_was_saved = 0, __saved_mask = {__val = {139973736090808,
139973736093009, 10, 17179869184, 67108864, 140736776463408, 11373999, 0, 65176423608, 9341819176, 139973736090808, 1073741826, 0, 536870912, 139974474751696, 8155667}}}}}
p = 0x7fffd5916340
ret = 536870912
sfbk = 0
#7 0x00007f4e50bb877f in run_failure_handlers (t=0x7f4e2cd0d928, rpl=0xffffffffffffffff, code=408, extra_flags=96) at t_reply.c:1002
faked_req = 0x7f4e2cd14cb8
faked_req_len = 6840
shmem_msg = 0x7f4e2cd0f078
on_failure = 3
keng = 0x0
__FUNCTION__ = "run_failure_handlers"
#8 0x00007f4e50bbbc55 in t_should_relay_response (Trans=0x7f4e2cd0d928, new_code=408, branch=0, should_store=0x7fffd59166fc, should_relay=0x7fffd5916700, cancel_data=0x7fffd59167b0, reply=0xffffffffffffffff) at t_reply.c:1376
branch_cnt = 1
picked_code = 408
new_branch = 582
inv_through = 0
extra_flags = 96
i = 32590
replies_dropped = 0
__FUNCTION__ = "t_should_relay_response"
#9 0x00007f4e50bbef0b in relay_reply (t=0x7f4e2cd0d928, p_msg=0xffffffffffffffff, branch=0, msg_status=408, cancel_data=0x7fffd59167b0, do_put_on_wait=0) at t_reply.c:1802
relay = 895
save_clone = 0
buf = 0x0
res_len = 0
relayed_code = 0
relayed_msg = 0x0
reply_bak = 0x0
bm = {to_tag_val = {s = 0x7fffd5916710 "", len = 10879832}}
totag_retr = 0
reply_status = RPS_ERROR
uas_rb = 0x0
to_tag = 0xffffffffffffffff
reason = {s = 0x7fffd5916800 "", len = 1354191177}
onsend_params = {req = 0x1658, rpl = 0x7f4e2c6fb6c8, param = 0x7fffd59168f0, code = 1490575056, flags = 1, branch = 0, t_rbuf = 0x7fffd59166d0, dst = 0x69621b <qm_shm_gunlock+27>, send_buf = {s = 0x20000000 <Address 0x20000000 out of bounds>, len = 745283584}}
ip = {af = 3583076016, len = 1, u = {addrl = {139973729695432, 140736776464048}, addr32 = {745518792, 32590, 3583076016, 32767}, addr16 = {46792, 11375, 32590, 0, 26288, 54673, 32767, 0}, addr = "ȶo,N\177\000\000\260f\221\325\377\177\000"}}
__FUNCTION__ = "relay_reply"
#10 0x00007f4e50c20b5b in fake_reply (t=0x7f4e2cd0d928, branch=0, code=408) at timer.c:340
cancel_data = {cancel_bitmap = 0, reason = {cause = 0, u = {text = {s = 0x0, len = 751884584}, e2e_cancel = 0x0, packed_hdrs = {s = 0x0, len = 751884584}}}}
do_cancel_branch = 0
reply_status = 89742
#11 0x00007f4e50c20fe8 in final_response_handler (r_buf=0x7f4e2cd0db50, t=0x7f4e2cd0d928) at timer.c:506
silent = 0
branch_ret = 0
prev_branch = 67108864
now = 536870912
#12 0x00007f4e50c21097 in retr_buf_handler (ticks=262070135, tl=0x7f4e2cd0db70, p=0x3e8) at timer.c:562
rbuf = 0x7f4e2cd0db50
fr_remainder = 3605054132
retr_remainder = 32590
retr_interval = 745526704
new_retr_interval_ms = 4681055710
crt_retr_interval_ms = 14800566388280090447
t = 0x7f4e2cd0d928
__FUNCTION__ = "retr_buf_handler"
#13 0x00000000004a0134 in timer_list_expire (t=262070135, h=0x7f4e2c741690, slow_l=0x7f4e2c7418c8, slow_mark=0) at core/timer.c:874
tl = 0x7f4e2cd0db70
ret = 0
#14 0x00000000004a0595 in timer_handler () at core/timer.c:939
saved_ticks = 262070135
run_slow_timer = 0
i = 0
__FUNCTION__ = "timer_handler"
#15 0x00000000004a0a3f in timer_main () at core/timer.c:978
No locals.
#16 0x0000000000425416 in main_loop () at main.c:1693
i = 32
pid = 0
si = 0x0
si_desc = "udp receiver child=31 sock=177.53.143.38:5080\000\000\000`j\221\325\377\177\000\000\320^\330XN\177\000\000\060m\221\325\377\177\000\000\023r|\000\000\000\000\000Z\000\000\000\000\000\000\000\000\000\000 \000\000\000\000\000\000\000\004\000\000\000\000__\330XN\177\000\000\200bx\000\000\000\000\000 at z\216UN\177\000"
nrprocs = 32
woneinit = 1
__FUNCTION__ = "main_loop"
#17 0x000000000042c078 in main (argc=9, argv=0x7fffd5916e18) at main.c:2645
cfg_stream = 0x2851010
c = -1
r = 0
tmp = 0x7fffd5917f66 ""
tmp_len = 0
port = 0
proto = 0
options = 0x768aa0 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
ret = -1
seed = 4016190000
rfd = 4
debug_save = 0
debug_flag = 0
dont_fork_cnt = 0
n_lst = 0x0
p = 0x0
st = {st_dev = 20, st_ino = 32456, st_nlink = 2, st_mode = 16832, st_uid = 0, st_gid = 2, __pad0 = 0, st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1551072083, tv_nsec = 812037328}, st_mtim = {tv_sec = 1551417587,
tv_nsec = 481360795}, st_ctim = {tv_sec = 1551417587, tv_nsec = 481360795}, __unused = {0, 0, 0}}
__FUNCTION__ = "main"
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1875#issuecomment-468548135
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20190228/fff19149/attachment-0001.html>
More information about the sr-dev
mailing list