[sr-dev] [kamailio/kamailio] ims_ipsec_pcscf crashes after the call (Issue #2970)

Artem Vasiliev notifications at github.com
Wed Jan 12 20:38:24 CET 2022


It seems that problem is not in contact parsing. I think that object are in failed some state

In core dump we have what it seems to be a valid Contact field

```
#0  0x00007f0b29e26979 in fill_contact (ci=0x7fffff6755a0, m=0x7f0b2a68e780) at cmd.c:271
```
```
"<sip:alice at 10.2.16.36:5060;gr=00F54E59-1172-EC11-9AC7-7D467C83D9C2>
----
INVITE sip:bob at ims.mnc001.mcc001.3gppnetwork.org SIP/2.0
Via: SIP/2.0/UDP 10.2.16.36:5060;branch=z9hG4bK8019dd952e72ec119bd47d467c83d9c2;rport
From: "PhonerLite" <sip:alice at ims.mnc001.mcc001.3gppnetwork.org>;tag=4116302762
To: <sip:bob at ims.mnc001.mcc001.3gppnetwork.org>
Call-ID: 8019DD95-2E72-EC11-9BD3-7D467C83D9C2 at 10.2.16.36
CSeq: 1 INVITE
Contact: <sip:alice at 10.2.16.36:5060;gr=00F54E59-1172-EC11-9AC7-7D467C83D9C2>
Content-Type: application/sdp
Allow: INVITE, ACK, BYE, CANCEL, INFO, MESSAGE, NOTIFY, OPTIONS, REFER, UPDATE, PRACK
Max-Forwards: 69
Supported: 100rel, replaces, from-change, gruu
User-Agent: PhonerLite/2.97
P-Preferred-Identity: <sip:alice at ims.mnc001.mcc001.3gppnetwork.org>
Content-Length:   340
```

We have normal pointer to parsed object but object itself contains garbage. This is why no parsing is performed and [this](https://github.com/kamailio/kamailio/blob/master/src/modules/ims_ipsec_pcscf/cmd.c#L256) check passes.
```
(gdb) p req->contact.parsed
$45 = (void *) 0x7f0b2a69b778
(gdb) p *(contact_body_t*)req->contact.parsed
$46 = {
  star = 3 '\003', <---- this
  contacts = 0x38  <---- and this
}

```

If we take ```next``` header than the ```parsed``` pointer will contain even stranger things
```
(gdb) p *req->contact.next
$49 = {
  type = HDR_CONTENTTYPE_T,
  name = {
    s = 0x7f0b238ab6c3 "Content-Type: application/sdp\r\nAllow: INVITE, ACK, BYE, CANCEL, INFO, MESSAGE, NOTIFY, OPTIONS, REFER, UPDATE, PRACK\r\nMax-Forwards: 69\r\nSupported: 100rel, replaces, from-change, gruu\r\nUser-Agent: Phon"...,
    len = 12
  },
  body = {
    s = 0x7f0b238ab6d1 "application/sdp\r\nAllow: INVITE, ACK, BYE, CANCEL, INFO, MESSAGE, NOTIFY, OPTIONS, REFER, UPDATE, PRACK\r\nMax-Forwards: 69\r\nSupported: 100rel, replaces, from-change, gruu\r\nUser-Agent: PhonerLite/2.97\r\nP"...,
    len = 15
  },
  len = 31,
  parsed = 0x30003, <------- this
  next = 0x7f0b238ac088
}
```

I am not much into this code and unfortunately I am unable to find where this values are set. Are messages reused or created from scratch each time? The ```m``` variable (reply message) that passed into this method seems to be ok by the way.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2970#issuecomment-1011387980
You are receiving this because you commented.

Message ID: <kamailio/kamailio/issues/2970/1011387980 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20220112/5fa77e52/attachment.htm>


More information about the sr-dev mailing list