[sr-dev] [kamailio/kamailio] Crash in Kamailio 5.3.7 and onward (#2803)

[Ivan Aponte]

I found that it is a combination of two things. The function sip_msg_apply_changes not copying the callid header and the dialog dlg_onroute asking for it when it didn't find the dialog, which makes LM_WARN try to print a null pointer. 


I am attaching the conf I used and the test packet. It was tested with master. 

test packet:
```
ACK sip:15552003030 at 172.20.0.1:5060 SIP/2.0
Via: SIP/2.0/UDP 200.10.0.99:25587;rport;branch=z9hG4bKge3e2pX2SreKe
Route: <sip:10.10.0.99;lr;did=db9.69a1>
Route: <sip:192.168.10.99;lr;ftag=tvZ0UZm1Nypjj;did=db9.d048a271>
Max-Forwards: 69
From: "V0050923" <sip:0000000000 at 200.10.0.99>;tag=tvZ0UZm1Nypjj
To: <sip:15552003030 at 10.10.0.99:5060>;tag=kEpCUxgyofc
Call-ID: a7ee0ea6-a08a-123a-ac87-d4bed9f99694
CSeq: 42168114 ACK
Content-Length: 0

```

kamailio.cfg
```
#!KAMAILIO

# - flags
#   FLT_ - per transaction (message) flags
#	FLB_ - per branch flags
#!define FLT_ACC 1
#!define FLT_ACCMISSED 2
#!define FLT_ACCFAILED 3



####### Global Parameters #########

### LOG Levels: 3=DBG, 2=INFO, 1=NOTICE, 0=WARN, -1=ERR
#!ifdef WITH_DEBUG
debug=4
log_stderror=yes
#!else
debug=2
log_stderror=no
#!endif

memdbg=5
memlog=5

log_facility=LOG_LOCAL0
log_prefix="{$mt $hdr(CSeq) $ci} "

children=1

/* uncomment the next line to disable TCP (default on) */
listen=udp:0.0.0.0:5060 advertise 10.10.0.99:5060
listen=tcp:0.0.0.0:3030
tcp_children=1
tcp_accept_no_cl=yes



####### Custom Parameters #########

/* These parameters can be modified runtime via RPC interface
 * - see the documentation of 'cfg_rpc' module.
 *
 * Format: group.id = value 'desc' description
 * Access: $sel(cfg_get.group.id) or @cfg_get.group.id */


loadmodule "kex.so"
loadmodule "corex.so"
loadmodule "tm.so"
loadmodule "tmx.so"
loadmodule "sl.so"
loadmodule "rr.so"
loadmodule "pv.so"
loadmodule "xhttp.so"
loadmodule "jsonrpcs.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "textopsx.so"
loadmodule "siputils.so"
loadmodule "cfgutils.so"
loadmodule "xlog.so"
loadmodule "sanity.so"
loadmodule "ctl.so"
loadmodule "cfg_rpc.so"
loadmodule "acc.so"
loadmodule "counters.so"
loadmodule "dialog.so"
loadmodule "htable.so"
loadmodule "sdpops.so"
loadmodule "xhttp_prom.so"
loadmodule "uac.so"


modparam("uac", "restore_dlg", 1)



modparam("xhttp_prom", "xhttp_prom_stats", "all");
modparam("xhttp_prom", "xhttp_prom_buf_size", 2097152);

#!ifdef WITH_DEBUG
loadmodule "debugger.so"
#!endif

# ----------------- setting module-specific parameters ---------------


# ----- jsonrpcs params -----
modparam("jsonrpcs", "transport", 1)
modparam("jsonrpcs", "pretty_format", 1)
/* set the path to RPC fifo control file */
modparam("jsonrpcs", "fifo_name", "/tmp/kamailio/kamailio_rpc.fifo")
/* set the path to RPC unix socket control file */
modparam("jsonrpcs", "dgram_socket", "/tmp/kamailio/kamailio_rpc.sock")

# ----- ctl params -----
/* set the path to RPC unix socket control file */
modparam("ctl", "binrpc", "unix:/tmp/kamailio/kamailio_ctl")

# ----- tm params -----
# auto-discard branches from previous serial forking leg
modparam("tm", "failure_reply_mode", 3)
# default retransmission timeout: 30sec
modparam("tm", "fr_timer", 30000)
# default invite retransmission timeout after 1xx: 120sec
modparam("tm", "fr_inv_timer", 120000)

# ----- rr params -----
# set next param to 1 to add value to ;lr param (helps with some UAs)
modparam("rr", "enable_full_lr", 0)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

# ----- acc params -----
/* what special events should be accounted ? */
modparam("acc", "early_media", 0)
modparam("acc", "report_ack", 0)
modparam("acc", "report_cancels", 0)
/* by default ww do not adjust the direct of the sequential requests.
 * if you enable this parameter, be sure the enable "append_fromtag"
 * in "rr" module */
modparam("acc", "detect_direction", 0)
/* account triggers (flags) */
modparam("acc", "log_flag", FLT_ACC)
modparam("acc", "log_missed_flag", FLT_ACCMISSED)
modparam("acc", "log_extra",
	"src_user=$fU;src_domain=$fd;src_ip=$si;"
	"dst_ouser=$tU;dst_user=$rU;dst_domain=$rd")
modparam("acc", "failed_transaction_flag", FLT_ACCFAILED)

#!ifdef WITH_DEBUG
# ----- debugger params -----
modparam("debugger", "cfgtrace", 1)
modparam("debugger", "log_level_name", "exec")
#!endif




####### Routing Logic ########


/* Main SIP request routing logic
 * - processing of any incoming SIP request starts with this route
 * - note: this is the same as route { ... } */
request_route {

	# per request initial checks
	route(REQINIT);
	# CANCEL processing
	if (is_method("CANCEL")) {
		if (t_check_trans()) {
			route(RELAY);
		}
		exit;
	}

	sdp_remove_codecs_by_id("0,3,8");
	msg_apply_changes();

	# handle retransmissions
	if (!is_method("ACK")) {
		if(t_precheck_trans()) {
			t_check_trans();
			exit;
		}
		t_check_trans();
	}

	route(WITHINDLG);

	# record routing for dialog forming requests (in case they are routed)
	# - remove preloaded route headers
	remove_hf("Route");
	if (is_method("INVITE|SUBSCRIBE")) {
		record_route();
	}
	# account only INVITEs
	if (is_method("INVITE")) {
		setflag(FLT_ACC); # do accounting
    dlg_manage();
		if (uri==myself && src_ip!=192.168.10.99 ) {
		  rewritehost("192.168.10.99");
    	  route(RELAY);
		}
	}

	if ($rU==$null) {
		# request with no Username in RURI
		sl_send_reply("484","Address Incomplete");
		exit;
	}

}


# Wrapper for relaying requests
route[RELAY] {

	if (is_method("INVITE|BYE|SUBSCRIBE|UPDATE")) {
		if(!t_is_set("branch_route")) t_on_branch("MANAGE_BRANCH");
	}
	if (is_method("INVITE|SUBSCRIBE|UPDATE|BYE")) {
		if(!t_is_set("onreply_route")) t_on_reply("MANAGE_REPLY");
	}
	if (is_method("INVITE")) {
		if(!t_is_set("failure_route")) t_on_failure("MANAGE_FAILURE");
	}

	if (!t_relay()) {
		sl_reply_error();
	}
	exit;
}

# Per SIP request initial checks
route[REQINIT] {

	if($ua =~ "friendly-scanner|sipcli|VaxSIPUserAgent") {
		# silent drop for scanners - uncomment next line if want to reply
		# sl_send_reply("200", "OK");
		exit;
	}

	if (!mf_process_maxfwd_header("10")) {
		sl_send_reply("483","Too Many Hops");
		exit;
	}

	if(is_method("OPTIONS") && uri==myself && $rU==$null) {
		sl_send_reply("200","Keepalive");
		exit;
	}

	if(!sanity_check("1511", "7")) {
		xlog("Malformed SIP message from $si:$sp\n");
		exit;
	}
}

# Handle requests within SIP dialogs
route[WITHINDLG] {
	if (!has_totag()) return;

	# sequential request withing a dialog should
	# take the path determined by record-routing
	if (loose_route()) {
		if (is_method("BYE")) {
			setflag(FLT_ACC); # do accounting ...
			setflag(FLT_ACCFAILED); # ... even if the transaction fails
		} else if ( is_method("NOTIFY") ) {
			# Add Record-Route for in-dialog NOTIFY as per RFC 6665.
			record_route();
		}
		route(RELAY);
		exit;
	}

	if ( is_method("ACK") ) {
		if ( t_check_trans() ) {
			route(RELAY);
			exit;
		} else {
			exit;
		}
	}
	sl_send_reply("404","Not here");
	exit;
}




# Manage incoming replies
onreply_route[MANAGE_REPLY] {
	if(status=~"1[0-9][0-9]") {
		return;
	}

}

# Manage failure routing cases
failure_route[MANAGE_FAILURE] {
	if (t_is_canceled()) exit;
}

event_route[xhttp:request] {
	if ($hu =~ "^/metrics" && dst_port == 3030 ) {
		prom_dispatch();
		return;
	}
  if(src_ip!=10.127.0.0/20 || dst_port!=3030) {
        xhttp_reply("403", "Forbidden", "text/html",
            "<html><body>Not allowed from $si</body></html>");
        exit;
  }
	if ($hu =~ "^/RPC") {
		jsonrpc_dispatch();
  } else {
        xhttp_reply("404", "Not Found", "text/html",
            "<html><body>Not Found</body></html>");
  }
  return;
}
```


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2803#issuecomment-939514638
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20211010/1255a8f7/attachment-0001.htm>