carrierroute: crash when database is not initialized

[sergey-safarov]

Description

When I start Kamailio with not initialized Redis database I expect an error message but catch a crash.

Debugging Data

bt

(gdb) bt 
#0  0x0000000000000000 in ?? ()
#1  0x0000fffff24b64e4 in load_route_data_db (rd=0xfffff32243e0) at cr_db.c:314
#2  0x0000fffff24a718c in reload_route_data () at cr_data.c:178
#3  0x0000fffff2498340 in mod_init () at carrierroute.c:239
#4  0x00000000006996bc in init_mod (m=0xfffff76336e8) at core/sr_module.c:971
#5  0x0000000000699b24 in init_modules () at core/sr_module.c:1002
#6  0x000000000043e36c in main (argc=5, argv=0xfffffffff438) at main.c:3024

bt full

(gdb) bt full
#0  0x0000000000000000 in ?? ()
No symbol table info available.
#1  0x0000fffff24b64e4 in load_route_data_db (rd=0xfffff32243e0) at cr_db.c:314
        res = 0x0
        row = 0x0
        i = 0
        j = -215858208
        ret = 56
        tmp_carrier_data = 0xfffff2fb96c8
        query_str = {s = 0xfffff2521d60 <query> "SELECT DISTINCT domain FROM carrierroute WHERE carrier=1", len = 56}
        tmp_scan_prefix = {s = 0x8 <error: Cannot access memory at address 0x8>, len = 1}
        tmp_rewrite_host = {s = 0xfffff24f55b0 <__func__.12> "init_route_data", len = -218392888}
        tmp_rewrite_prefix = {s = 0xfffff24f39e8 "carrierroute", len = 8763264}
        tmp_rewrite_suffix = {s = 0xfffff7ed1520 <_IO_2_1_stderr_> "\207(\255", <incomplete sequence \373>, len = 0}
        tmp_host_name = {s = 0x40 <error: Cannot access memory at address 0x40>, len = -218628096}
        tmp_reply_code = {s = 0xfffff24f5608 <__func__.8> "reload_route_data", len = -229688464}
        tmp_comment = {s = 0xfffff24f39e8 "carrierroute", len = 9832376}
        p_tmp_comment = 0xffffffffeb80
        __func__ = "load_route_data_db"
        n = 65535
#2  0x0000fffff24a718c in reload_route_data () at cr_data.c:178
        old_data = 0x2008e4e98
        new_data = 0xfffff32243e0
        i = 3
        __func__ = "reload_route_data"
#3  0x0000fffff2498340 in mod_init () at carrierroute.c:239
        fs = {st_dev = 9547688, st_ino = 268435456, st_mode = 0, st_nlink = 0, st_uid = 4294962480, st_gid = 65535, st_rdev = 268435456, __pad1 = 0, 
          st_size = 281474976706104, st_blksize = -4768, __pad2 = 65535, st_blocks = 6918840, st_atim = {tv_sec = 969, tv_nsec = 5}, st_mtim = {tv_sec = 37199812, 
            tv_nsec = 281474831794664}, st_ctim = {tv_sec = 4294967295, tv_nsec = 281474839572424}, __glibc_reserved = {-134251712, 65535}}
        uid = 4
        gid = 261
        __func__ = "mod_init"
#4  0x00000000006996bc in init_mod (m=0xfffff76336e8) at core/sr_module.c:971
        ret = -134225920
        __func__ = "init_mod"
#5  0x0000000000699b24 in init_modules () at core/sr_module.c:1002
        t = 0x20ffffffff
        i = -1
        __func__ = "init_modules"
#6  0x000000000043e36c in main (argc=5, argv=0xfffffffff438) at main.c:3024
        cfg_stream = 0xab3380
        c = -1
        r = 0
        tmp = 0xfffff7fccde4 <_dl_fixup+244> "\367\003"
        tmp_len = 65535
        port = -3376
        proto = 65535
        ahost = 0x0
        aport = 0
        options = 0x8d0fe0 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 160181580
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 2
        n_lst = 0xfffff7ff0760
        p = 0xfffff7d4b544 <__libc_start_call_main+52> "\237$\003\325 \002"
        st = {st_dev = 26, st_ino = 1030, st_mode = 16832, st_nlink = 2, st_uid = 977, st_gid = 977, st_rdev = 0, __pad1 = 0, st_size = 40, st_blksize = 4096, __pad2 = 0, 
          st_blocks = 0, st_atim = {tv_sec = 1679590104, tv_nsec = 869999991}, st_mtim = {tv_sec = 1679590104, tv_nsec = 869999991}, st_ctim = {tv_sec = 1679590104, 
            tv_nsec = 869999991}, __glibc_reserved = {0, 0}}
        tbuf = "\254\202\226\006\000\000\000\000(\315\375\367\377\377\000\000\030\315\375\367\377\377\000\000\205\317c\t\000\000\000\000\000\367\377\367\377\377\000\000\240\357\377\377\377\377\000\000\bb\345\367\377\377\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\000\000\200\002\000\000\000\000\000g\303\317*\031z\n\360\357\377\377\377\377\000\000Xt\375\367\377\377\000\000\000\340\377\367\377\377\000\000\000\000\000\000\000\000\000\000\360\357\377\377\377\377\000\000\204t\375\367\377\377\000\000\250\361\377\367\377\377", '\000' <repeats 26 times>, "\340\362\377\377\377\377\000\000DB\375\367\377\377\000\000(\333\377\367\377\377\000\000\000\320\377\367\377\377\000\000"...
        option_index = 0
        long_options = {{name = 0x8d3520 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x8ce2d0 "version", has_arg = 0, flag = 0x0, val = 118}, {
            name = 0x8d3528 "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x8d3530 "subst", has_arg = 1, flag = 0x0, val = 1025}, {name = 0x8d3538 "substdef", 
            has_arg = 1, flag = 0x0, val = 1026}, {name = 0x8d3548 "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name = 0x8d3558 "server-id", has_arg = 1, 
            flag = 0x0, val = 1028}, {name = 0x8d3568 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name = 0x8d3578 "modparam", has_arg = 1, flag = 0x0, 
            val = 1030}, {name = 0x8d3588 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x8d3598 "debug", has_arg = 1, flag = 0x0, val = 1032}, {
            name = 0x8d35a0 "cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x8d35b0 "atexit", has_arg = 1, flag = 0x0, val = 1034}, {name = 0x0, has_arg = 0, 
            flag = 0x0, val = 0}}
        __func__ = "main"

info locals

(gdb) f 1
#1  0x0000fffff24b64e4 in load_route_data_db (rd=0xfffff32243e0) at cr_db.c:314
314			if (carrierroute_dbf.raw_query(carrierroute_dbh, &query_str, &res) < 0) {
(gdb) info locals
res = 0x0
row = 0x0
i = 0
j = -215858208
ret = 56
tmp_carrier_data = 0xfffff2fb96c8
query_str = {s = 0xfffff2521d60 <query> "SELECT DISTINCT domain FROM carrierroute WHERE carrier=1", len = 56}
tmp_scan_prefix = {s = 0x8 <error: Cannot access memory at address 0x8>, len = 1}
tmp_rewrite_host = {s = 0xfffff24f55b0 <__func__.12> "init_route_data", len = -218392888}
tmp_rewrite_prefix = {s = 0xfffff24f39e8 "carrierroute", len = 8763264}
tmp_rewrite_suffix = {s = 0xfffff7ed1520 <_IO_2_1_stderr_> "\207(\255", <incomplete sequence \373>, len = 0}
tmp_host_name = {s = 0x40 <error: Cannot access memory at address 0x40>, len = -218628096}
tmp_reply_code = {s = 0xfffff24f5608 <__func__.8> "reload_route_data", len = -229688464}
tmp_comment = {s = 0xfffff24f39e8 "carrierroute", len = 9832376}
p_tmp_comment = 0xffffffffeb80
__func__ = "load_route_data_db"
n = 65535

list

(gdb) list
309				goto errout;
310			}
311			query_str.s = query;
312			query_str.len = ret;
313	
314			if (carrierroute_dbf.raw_query(carrierroute_dbh, &query_str, &res) < 0) {
315				LM_ERR("Failed to query database.\n");
316				goto errout;
317			}
318			LM_INFO("carrier '%.*s' (id %i) has %i domains\n", rd->carrier_map[i].name.len, rd->carrier_map[i].name.s, rd->carrier_map[i].id, RES_ROW_N(res));

Log Messages

 0(969) INFO: <core> [core/sctp_core.c:74]: sctp_core_check_support(): SCTP API not enabled - if you want to use it, load sctp module
Listening on 
             udp: 158.51.225.1:5060 name ipv4_udp
             udp: 2605:84c0:40:2:278a:4bc8:76c1:1585:5060 name ipv6_udp
             tcp: 158.51.225.1:5060 name ipv4_tcp
             tcp: 158.51.225.1:2855 name ipv4_msrp
             tcp: 2605:84c0:40:2:278a:4bc8:76c1:1585:5060 name ipv6_tcp
Aliases: 
             tcp: linux.local:5060
             tcp: linux:5060
             tcp: localhost:2855
             tcp: localhost:5060
             udp: linux.local:5060
             udp: linux:5060
             udp: localhost:5060

 0(969) INFO: <core> [core/tcp_main.c:5071]: init_tcp(): using epoll_lt as the io watch method (auto detected)
 0(969) NOTICE: regex [regex_mod.c:168]: mod_init(): 'file' parameter is not set, group matching disabled
 0(969) INFO: carrierroute [carrierroute.c:185]: mod_init(): use database as configuration source

Program received signal SIGSEGV, Segmentation fault.

Additional Information

• Kamailio Version - output of kamailio -v
  here is cutomized 54a9c15

[root@localhost sipagg2]# kamailio -v
version: kamailio 5.6.2 (aarch64/linux) 42c09c-dirty
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT-NOSMP, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 42c09c -dirty
compiled on 00:00:00 Sep 13 2022 with gcc 12.2.1

• Operating System:

[root@sbc-stage-a0 kamailio]# cat /etc/os-release 
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

[henningw]

Thanks for the report. Which DB do you actually use for the carrierroute, db_redis? I think I know the problem then.

[sergey-safarov]

yes, db_redis

[sergey-safarov]

I have initialized the database but the issue is still here.
What is strange is when the database is initialized.

tmp_scan_prefix = {s = 0x8 <error: Cannot access memory at address 0x8>, len = 1}
tmp_host_name = {s = 0x40 <error: Cannot access memory at address 0x40>, len = -218628096}

And I do not see any request to carrierroute table.

[henningw]

Thanks, please try with the commit referenced above.

[sergey-safarov]

Compiled with referenced commit and now I receive an error message without a crash.