[SR-Users] Kamailio v4.0.5 crash - transformations related ?

[Dragos Oancea]

Hi 

We experimented a crash with kamailio 4.0.5 , it looks like a memory corruption.

After an analyse of the core file,  it appears that it crashed while doing a str2int transformation (trying to convert the value of myvar to int):


 if (($(dlg_var("myvar"){s.int}) == 0) && some_other_condition ) {
	do_something();
} 




gdb output:

(gdb) frame 4 
#4  0x00000000004bcb77 in rval_get_btype (h=0x7fffd69713d0, msg=0x7ffc8a58a4d0, rv=0x7ffc8a3dfc18, val_cache=0x7fffd69706a0) at rvalue.c:418
418in rvalue.c
(gdb) i loc 
r_avp = 0x7fffd69709b0
tmp_avp_val = {n = -1975661232, s = {s = 0x7ffc8a3dcd50 "\034\001", len = -1973902128}, re = 0x7ffc8a3dcd50}
avpv = 0x7fffd6970928
tmp_pval = {rs = {s = 0x7ffc8a5b86e0 "route[MAIN]: call-id=52e8c2b553540db4 from=987654321 to=+1234567890 : ACK ip=10.0.x.x", len = -1975658024}, ri = -694745968, flags = 32767}
pv = 0x7fffd69706a8
tmp = RV_NONE
ptype = 0x7ffc8a58a4d0
__FUNCTION__ = "rval_get_btype"
(gdb) p *pv
$8 = {rs = {s = 0x7069736f58652820 <Address 0x7069736f58652820 out of bounds>, len = 775106354}, ri = 0, flags = 4}
(gdb) p val_cache->c.pval 
$9 = {rs = {s = 0x7069736f58652820 <Address 0x7069736f58652820 out of bounds>, len = 775106354}, ri = 0, flags = 4}   <-  the value of s is invalid, it's a string from a SIP message.


Full GDB backtrace and info locals here :
kamailio 4.0.5 crash - memory corruption ? - Pastebin.com

 
   kamailio 4.0.5 crash - memory corruption ? - Pastebin.co...
(gdb) bt full #0  0x00007ffc822851e8 in str2sint (_s=0x7fffd69706a8, _r=0x7fffd69706b8) at ../../ut.h:681         i = 0         sign = 1   
View on pastebin.com Preview by Yahoo  


I still have the core file and I can help with further analysis  .


Regards,
Dragos

PS: Kamailio still rocks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140430/42e8d4f4/attachment.html>