[SR-Users] SIP Router 3.03 topoh

marius zbihlei marius.zbihlei at 1and1.ro
Thu Nov 25 18:38:15 CET 2010


On 11/25/2010 07:32 PM, dotnetdub wrote:
>
>>         Hi Marius,
>>
>>
>>     I hope this is what your after!
>>
>>     (gdb) add-symbol-file /lib/kamailio/modules/topoh.so
>>     0xb7004000+0x00001d30
>>     add symbol table from file "/lib/kamailio/modules/topoh.so" at
>>     .text_addr = 0xb7005d30
>>     (y or n) y
>>     Reading symbols from /lib/kamailio/modules/topoh.so...done.
>>     (gdb) x/s 0xb70070d9
>>     0xb70070d9 <th_skip_msg+9>: <Address 0xb70070d9 out of bounds>
>>     (gdb) info registers
>>
>
>     Yes I think it is
>
>     Looking at the debug messages I see the CSeq is wrong.
>
>     But :
>
>     int th_skip_msg(sip_msg_t *msg)
>     {
>            
>     if((get_cseq(msg)->method_id)&(METHOD_REGISTER|METHOD_PUBLISH))
>                     return 1;
>
>             return 0;
>     }
>
>     As the cseq is wrong the get_cseq macro probably returns a NULL
>     Pointer who gets dereferenced (BANG the crash). Any other Ideas ?!
>
>     The patch is trivial ( if(!get_cseq(msg))) parse_cseq(....) )
>     something in this line. Daniel, What do you think ?
>
>     Marius
>
>
>
> Thanks Marius.
>
> Glad that we were able to find the issue.

Are you able to test a patch if a provide one to you? I wanted to wait 
for Daniel's opinion as I have no way of testing it. If you have a dump 
of the attack traffic or you can generate more with bad CSEQ (as from 
the message log you provided) you can test the patch against your cfg 
and see if it still crashes(hope not). In my opinion the crash should be 
deterministic. You will find the trivial patch attached. If you can test 
it and it works I will push it to upstream (also to 3.0 branch). Keep in 
mind that other probles might appear as well during the processing of 
the SIP messages. If a core does appear please retry the steps in the 
previous mail with the new core and .so offset.

Apply the patch with the patch utility (copy to the modules/topoh and 
run patch < patch) . I await some feedback :)

Marius
>
> Regards
> Brian
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20101125/d510db88/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20101125/d510db88/attachment.txt>


More information about the sr-users mailing list