[OpenSIPS-Devel] [ opensips-Bugs-2573029 ] [trunk/r5254] crash in dialog/

SourceForge.net noreply at sourceforge.net
Fri Feb 6 16:40:43 CET 2009 

Bugs item #2573029, was opened at 2009-02-06 15:40
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2573029&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: [trunk/r5254] crash in dialog/

Initial Comment:
(from vasil.kolev at attractel.com)

Turns out that you can pass rpl == FAKED_REPLY (which is -1) to dlg_onreply(), which will in turn try to dereference it and crash. This fixes it for me, if you're interested, I can reproduce the core dump.

This happens when testing presence and related stuff.


--- modules/dialog/dlg_handlers.c	(revision 5254)
+++ modules/dialog/dlg_handlers.c	(working copy)
@@ -288,24 +288,29 @@
 		LM_DBG("dialog %p confirmed\n",dlg);
 
 		/* get to tag*/
-		if ( !rpl->to && ((parse_headers(rpl, HDR_TO_F,0)<0) || !rpl->to) ) {
-			LM_ERR("bad reply or missing TO hdr :-/\n");
-			tag.s = 0;
-			tag.len = 0;
-		} else {
-			tag = get_to(rpl)->tag_value;
-			if (tag.s==0 || tag.len==0) {
-				LM_ERR("missing TAG param in TO hdr :-/\n");
+		if ( rpl != FAKED_REPLY){
+			if ( !rpl->to && ((parse_headers(rpl, HDR_TO_F,0)<0) || !rpl->to) ) {
+				LM_ERR("bad reply or missing TO hdr :-/\n");
 				tag.s = 0;
 				tag.len = 0;
+			} else {
+				tag = get_to(rpl)->tag_value;
+				if (tag.s==0 || tag.len==0) {
+					LM_ERR("missing TAG param in TO hdr :-/\n");
+					tag.s = 0;
+					tag.len = 0;
+				}
 			}
+			/* save callee's tag, cseq, contact and record route*/
+			if (populate_leg_info( dlg, rpl, t, DLG_CALLEE_LEG, &tag) !=0) {
+				LM_ERR("could not add further info to the dialog\n");
+			}
+		} else {
+			LM_DBG("FAKED_REPLY detected\n");
+			tag.s = 0;
+			tag.len = 0;
 		}
 
-		/* save callee's tag, cseq, contact and record route*/
-		if (populate_leg_info( dlg, rpl, t, DLG_CALLEE_LEG, &tag) !=0) {
-			LM_ERR("could not add further info to the dialog\n");
-		}
-
 		/* set start time */
 		dlg->start_ts = (unsigned int)(time(0));
 


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2573029&group_id=232389

More information about the Devel mailing list