Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dialog: segfault with db_mode = 1 and broken SIP message #1899

Closed
btriller opened this issue Mar 21, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@btriller
Copy link
Contributor

commented Mar 21, 2019

Description

dialog module is configured with db_mode 1 (realtime). When receiving following broken SIP 200 response (missing 6 bytes between header and body), Kamailio crashes:

SIP/2.0 200 OK
Via: SIP/2.0/UDP 1.2.3.4;branch=z9hG4bKa185.ad1e5804a90a4f79fa2b09b3b2118053.0
Via: SIP/2.0/UDP 2.3.4.5:7016;received=2.3.4.5;branch=z9hG4bK370933d4;rport=7016
Record-Route: <sip:1.2.3.4;lr=on;did=c41.dee>
From: "1234" <sip:1234@example.com>;tag=as4cbf81fd
To: <sip:2345@example.com>;tag=3450065082
Call-ID: 727ca44f1e962eb321143475380dfbd9@example.com
CSeq: 102 INVITE
Contact: <sip:2345@3.4.5.6:12500>
Content-Type: application/sdp
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Content-Length: 2170
o=- 20568 20568 IN IP4 3.4.5.6
s=SDP data
c=IN IP4 3.4.5.6
t=0 0
m=audio 13002 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=ptime:20
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv

Crash happens in dlg_db_handler.c

		LM_DBG("sock_info is %.*s\n", 
			cell->bind_addr[DLG_CALLER_LEG]->sock_str.len,
			cell->bind_addr[DLG_CALLEE_LEG]->sock_str.s);

		SET_STR_VALUE(values+7, cell->bind_addr[DLG_CALLER_LEG]->sock_str);
		SET_STR_VALUE(values+8, cell->bind_addr[DLG_CALLEE_LEG]->sock_str);

Debugging Data

Thread 1 (Thread 0x7fc64b620700 (LWP 2333)):
+bt
#0  0x00007fc641675b63 in update_dialog_dbinfo_unsafe (cell=0x7fc619a71ff8) at dlg_db_handler.c:784
#1  0x00007fc641676852 in update_dialog_dbinfo (cell=0x7fc619a71ff8) at dlg_db_handler.c:881
#2  0x00007fc64167c861 in dlg_onreply (t=0x7fc61d7888f0, type=1048576, param=0x7ffe1ce712f0) at dlg_handlers.c:509
#3  0x00007fc6443f4f17 in run_trans_callbacks_internal (cb_lst=0x7fc61d788960, type=1048576, trans=0x7fc61d7888f0, params=0x7ffe1ce712f0) at t_hooks.c:260
#4  0x00007fc6443f5144 in run_trans_callbacks_with_buf (type=1048576, rbuf=0x7fc61d7889b0, req=0x7fc61ec43928, repl=0x7fc646dcbd80, flags=0) at t_hooks.c:305
#5  0x00007fc6443aaabc in relay_reply (t=0x7fc61d7888f0, p_msg=0x7fc646dcbd80, branch=0, msg_status=200, cancel_data=0x7ffe1ce71580, do_put_on_wait=1) at t_reply.c:1950
#6  0x00007fc6443ae844 in reply_received (p_msg=0x7fc646dcbd80) at t_reply.c:2521
#7  0x000055fd54405df6 in do_forward_reply (msg=0x7fc646dcbd80, mode=0) at core/forward.c:749
#8  0x000055fd5440784b in forward_reply (msg=0x7fc646dcbd80) at core/forward.c:851
#9  0x000055fd544522d2 in receive_msg (buf=0x55fd5492d080 <buf> "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP ...", len=960, rcv_info=0x7ffe1ce71ad0) at core/receive.c:341
#10 0x000055fd5436e207 in udp_rcv_loop () at core/udp_server.c:515
#11 0x000055fd542dc608 in main_loop () at main.c:1623
#12 0x000055fd542e46a9 in main (argc=13, argv=0x7ffe1ce71f78) at main.c:2642

Possible Solutions

Check bind_addr before accessing.

Additional Information

Version was 5.0.x, but at least code in dlg_handler.c wasn't modified in master since then.

@miconda

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

Can you get the output with gdb for:

frame 0
list
info locals
p *cell
@btriller

This comment has been minimized.

Copy link
Contributor Author

commented Mar 21, 2019

log messages from before the crash:

ERROR: <core> [core/parser/msg_parser.c:96]: get_hdr_field(): bad header
ERROR: <core> [core/parser/msg_parser.c:330]: parse_headers(): bad header field [a=sendrecv#015#012]
ERROR: dialog [dlg_handlers.c:190]: populate_leg_info(): failed to parse headers
ERROR: dialog [dlg_handlers.c:495]: dlg_onreply(): could not add further info to the dialog

so that bind_addr from callee leg isn't set: dlg_handlers.c

	if(parse_headers(msg,HDR_EOH_F,0)<0){
		LM_ERR("failed to parse headers\n");
		goto error0;
	}

	dlg->bind_addr[leg] = msg->rcv.bind_address;
@miconda

This comment has been minimized.

Copy link
Member

commented Apr 4, 2019

Should be fixed in the latest versions of git branches, pushed back also to 5.0.

Anyhow, as 5.0 is getting officially out of maintenance, it is recommended to upgrade to 5.1.x or 5.2.x.

@miconda miconda closed this Apr 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.