[SR-Users] q_malloc crash
Juha Heinanen
jh at tutpro.com
Wed May 14 21:19:13 CEST 2014
i just noticed that my proxy had crashed on invite request from
attacker:
May 14 22:03:06 sars /usr/sbin/sip-proxy[10932]: INFO: INVITE <tel:004412127921\
94> by untrusted <sip:210.125.64.233> from <210.125.64.233>
May 14 22:03:06 sars /usr/sbin/sip-proxy[10932]: : <core> [mem/q_malloc.c:159]:\
qm_debug_frag(): BUG: qm_*: prev. fragm. tail overwritten(c0c0c000, abcdefed)[\
0xb70f6a64:0xb70f6a7c]!
May 14 22:03:08 sars /usr/sbin/sip-proxy[11014]: : <core> [pass_fd.c:293]: rece\
ive_fd(): ERROR: receive_fd: EOF on 24
May 14 22:03:08 sars /usr/sbin/sip-proxy[10913]: ALERT: <core> [main.c:775]: ha\
ndle_sigs(): child process 10932 exited by a signal 6
May 14 22:03:08 sars /usr/sbin/sip-proxy[10913]: ALERT: <core> [main.c:778]: ha\
ndle_sigs(): core was generated
Program terminated with signal 6, Aborted.
#0 0xb7782424 in __kernel_vsyscall ()
(gdb) where
#0 0xb7782424 in __kernel_vsyscall ()
#1 0xb7616941 in raise () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#2 0xb7619d72 in abort () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#3 0x08179f86 in qm_debug_frag (qm=0xb6dea008, f=0xb70f6a64)
at mem/q_malloc.c:161
#4 0x0817ac3a in qm_malloc (qm=0xb6dea008, size=48,
file=0x81f3169 "<core>: action.c", func=0x81f42f0 "do_action", line=780)
at mem/q_malloc.c:386
#5 0x0805e798 in do_action (h=0xbffc1ca0, a=0xbffc1d48, msg=0xb72c6928)
at action.c:780
#6 0xb1c5ac1d in pv_set_ruri (msg=0xb72c6928, param=0xb6f75630, op=254,
val=0xbffc1e0c) at pv_core.c:2019
#7 0xb1b5df59 in tel2sip (_msg=0xb72c6928,
_uri=0xb6f75c70 "H\207\367\266\004",
_hostpart=0xb6f75530 "\254y\367\266\004", _res=0xb6f75624 "\006")
at checks.c:405
#8 0x0805fdf7 in do_action (h=0xbffc21e0, a=0xb6f77858, msg=0xb72c6928)
at action.c:1117
#9 0x08067293 in run_actions (h=0xbffc21e0, a=0xb6f77858, msg=0xb72c6928)
at action.c:1599
#10 0x080678e2 in run_actions_safe (h=0xbffc39ac, a=0xb6f77858, msg=0xb72c6928)
at action.c:1664
#11 0x081015fe in rval_get_int (h=0xbffc39ac, msg=0xb72c6928, i=0xbffc2528,
rv=0xb6f779fc, cache=0x0) at rvalue.c:924
#12 0x08103f83 in rval_expr_eval_int (h=0xbffc39ac, msg=0xb72c6928,
res=0xbffc2528, rve=0xb6f779f8) at rvalue.c:1918
#13 0x0810416e in rval_expr_eval_int (h=0xbffc39ac, msg=0xb72c6928,
res=0xbffc27c4, rve=0xb6f78360) at rvalue.c:1926
#14 0x0805fa26 in do_action (h=0xbffc39ac, a=0xb6f78820, msg=0xb72c6928)
at action.c:1075
#15 0x08067293 in run_actions (h=0xbffc39ac, a=0xb6f78820, msg=0xb72c6928)
at action.c:1599
#16 0x0805fca0 in do_action (h=0xbffc39ac, a=0xb6f788c4, msg=0xb72c6928)
at action.c:1094
---Type <return> to continue, or q <return> to quit---
#17 0x08067293 in run_actions (h=0xbffc39ac, a=0xb6f788c4, msg=0xb72c6928)
at action.c:1599
#18 0x0805fc5f in do_action (h=0xbffc39ac, a=0xb6f78968, msg=0xb72c6928)
at action.c:1090
#19 0x08067293 in run_actions (h=0xbffc39ac, a=0xb6f78968, msg=0xb72c6928)
at action.c:1599
#20 0x0805e00d in do_action (h=0xbffc39ac, a=0xb6e7720c, msg=0xb72c6928)
at action.c:715
#21 0x08067293 in run_actions (h=0xbffc39ac, a=0xb6e5161c, msg=0xb72c6928)
at action.c:1599
#22 0x0805e00d in do_action (h=0xbffc39ac, a=0xb6e50238, msg=0xb72c6928)
at action.c:715
#23 0x08067293 in run_actions (h=0xbffc39ac, a=0xb6e50238, msg=0xb72c6928)
at action.c:1599
#24 0x0805fc5f in do_action (h=0xbffc39ac, a=0xb6e50bfc, msg=0xb72c6928)
at action.c:1090
#25 0x08067293 in run_actions (h=0xbffc39ac, a=0xb6e4891c, msg=0xb72c6928)
at action.c:1599
#26 0x0806797a in run_top_route (a=0xb6e4891c, msg=0xb72c6928, c=0x0)
at action.c:1685
#27 0x080e2bcf in receive_msg (
buf=0x82f99e0 "INVITE tel:00441212792194 SIP/2.0\r\nVia: SIP/2.0/UDP 210.125.64.233;branch=z9hG4bK4KmbLm4c\r\nMax-Forwards: 69\r\nFrom: <sip:210.125.64.233>;tag=qua2A5c8s9VJZ\r\nTo: <tel:00441212792194>\r\nContact: <sip:210.1"...,
len=1115, rcv_info=0xbffc3bb0) at receive.c:211
#28 0x081702cd in udp_rcv_loop () at udp_server.c:536
#29 0x080ad9a0 in main_loop () at main.c:1617
#30 0x080b098f in main (argc=17, argv=0xbffc3e64) at main.c:2533
perhaps due to a bug in tel2sip function.
-- juha
More information about the sr-users
mailing list