[sr-dev] [kamailio/kamailio] dialog: segfault with db_mode = 1 and broken SIP message (#1899)

Bastian Triller notifications at github.com
Thu Mar 21 09:39:31 CET 2019 

### Description
`dialog` module is configured with `db_mode` 1 (realtime). When receiving following broken SIP `200` response (missing 6 bytes between header and body), Kamailio crashes:
```
SIP/2.0 200 OK
Via: SIP/2.0/UDP 1.2.3.4;branch=z9hG4bKa185.ad1e5804a90a4f79fa2b09b3b2118053.0
Via: SIP/2.0/UDP 2.3.4.5:7016;received=2.3.4.5;branch=z9hG4bK370933d4;rport=7016
Record-Route: <sip:1.2.3.4;lr=on;did=c41.dee>
From: "1234" <sip:1234 at example.com>;tag=as4cbf81fd
To: <sip:2345 at example.com>;tag=3450065082
Call-ID: 727ca44f1e962eb321143475380dfbd9 at example.com
CSeq: 102 INVITE
Contact: <sip:2345 at 3.4.5.6:12500>
Content-Type: application/sdp
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Content-Length: 2170
o=- 20568 20568 IN IP4 3.4.5.6
s=SDP data
c=IN IP4 3.4.5.6
t=0 0
m=audio 13002 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=ptime:20
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
```
Crash happens in [dlg_db_handler.c](https://github.com/kamailio/kamailio/blob/master/src/modules/dialog/dlg_db_handler.c#L869-L874)
```
		LM_DBG("sock_info is %.*s\n", 
			cell->bind_addr[DLG_CALLER_LEG]->sock_str.len,
			cell->bind_addr[DLG_CALLEE_LEG]->sock_str.s);

		SET_STR_VALUE(values+7, cell->bind_addr[DLG_CALLER_LEG]->sock_str);
		SET_STR_VALUE(values+8, cell->bind_addr[DLG_CALLEE_LEG]->sock_str);
```

#### Debugging Data
```
Thread 1 (Thread 0x7fc64b620700 (LWP 2333)):
+bt
#0  0x00007fc641675b63 in update_dialog_dbinfo_unsafe (cell=0x7fc619a71ff8) at dlg_db_handler.c:784
#1  0x00007fc641676852 in update_dialog_dbinfo (cell=0x7fc619a71ff8) at dlg_db_handler.c:881
#2  0x00007fc64167c861 in dlg_onreply (t=0x7fc61d7888f0, type=1048576, param=0x7ffe1ce712f0) at dlg_handlers.c:509
#3  0x00007fc6443f4f17 in run_trans_callbacks_internal (cb_lst=0x7fc61d788960, type=1048576, trans=0x7fc61d7888f0, params=0x7ffe1ce712f0) at t_hooks.c:260
#4  0x00007fc6443f5144 in run_trans_callbacks_with_buf (type=1048576, rbuf=0x7fc61d7889b0, req=0x7fc61ec43928, repl=0x7fc646dcbd80, flags=0) at t_hooks.c:305
#5  0x00007fc6443aaabc in relay_reply (t=0x7fc61d7888f0, p_msg=0x7fc646dcbd80, branch=0, msg_status=200, cancel_data=0x7ffe1ce71580, do_put_on_wait=1) at t_reply.c:1950
#6  0x00007fc6443ae844 in reply_received (p_msg=0x7fc646dcbd80) at t_reply.c:2521
#7  0x000055fd54405df6 in do_forward_reply (msg=0x7fc646dcbd80, mode=0) at core/forward.c:749
#8  0x000055fd5440784b in forward_reply (msg=0x7fc646dcbd80) at core/forward.c:851
#9  0x000055fd544522d2 in receive_msg (buf=0x55fd5492d080 <buf> "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP ...", len=960, rcv_info=0x7ffe1ce71ad0) at core/receive.c:341
#10 0x000055fd5436e207 in udp_rcv_loop () at core/udp_server.c:515
#11 0x000055fd542dc608 in main_loop () at main.c:1623
#12 0x000055fd542e46a9 in main (argc=13, argv=0x7ffe1ce71f78) at main.c:2642
```

### Possible Solutions

Check `bind_addr` before accessing.

### Additional Information

Version was 5.0.x, but at least code in `dlg_handler.c` wasn't modified in `master` since then.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1899
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20190321/b5718861/attachment.html>

More information about the sr-dev mailing list