[OpenSIPS-Devel] [ opensips-Bugs-2530958 ] Crash in pua/send_subscribe.c

SourceForge.net noreply at sourceforge.net
Fri Jan 23 13:14:24 CET 2009 

Bugs item #2530958, was opened at 2009-01-23 12:14
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2530958&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Norm Brandinger (norm_brandinger)
Assigned to: Nobody/Anonymous (nobody)
Summary: Crash in pua/send_subscribe.c

Initial Comment:
Crash happened on the following line within pua/send_subscribe.c:

    size= sizeof(ua_pres_t)+ 2*sizeof(str)+( pto->uri.len+
        pfrom->uri.len+ pto->tag_value.len+ pfrom->tag_value.len
        +msg->callid->body.len+ record_route.len+ hentity->contact.len+
        hentity->id.len )*sizeof(char);

Because of the complexity of the statement, I rewrote it as shown below so that the offending variable could quickly be isolated.

    size = sizeof(ua_pres_t);
    size += (2*sizeof(str));

    temp = pto->uri.len;
    temp += pfrom->uri.len;
    temp += pto->tag_value.len;
    temp += pfrom->tag_value.len;
    temp += msg->callid->body.len;
    temp += record_route.len;
    temp += hentity->contact.len;
    temp += hentity->id.len;
    temp = temp * sizeof(char);

    size += temp;

The failure below shows that the crash happens while accessing pto->uri.len.



Program terminated with signal 11, Segmentation fault.
#0  0x004a3230 in subs_cback_func (t=0xb61557f0, cb_type=256, ps=0x38fc54) at send_subscribe.c:493
493         temp = pto->uri.len;
(gdb) bt
#0  0x004a3230 in subs_cback_func (t=0xb61557f0, cb_type=256, ps=0x38fc54) at send_subscribe.c:493
#1  0x00366bfa in run_trans_callbacks (type=256, trans=0xb61557f0, req=0x0, rpl=0x81f4bb0, code=200) at t_hooks.c:208
#2  0x0037fdd1 in local_reply (t=0xb61557f0, p_msg=0x81f4bb0, branch=0, msg_status=200, cancel_bitmap=0xbff32f10) at t_reply.c:1264
#3  0x0038295e in reply_received (p_msg=0x81f4bb0) at t_reply.c:1405
#4  0x08064e0a in forward_reply (msg=0x81f4bb0) at forward.c:507


For reference, the original code resulted in the following:

Program terminated with signal 11, Segmentation fault.
#0  0x00cfb234 in subs_cback_func (t=0xb61e1c28, cb_type=256, ps=0x72fc54) at send_subscribe.c:490
490             size= sizeof(ua_pres_t)+ 2*sizeof(str)+( pto->uri.len+
(gdb) bt
#0  0x00cfb234 in subs_cback_func (t=0xb61e1c28, cb_type=256, ps=0x72fc54) at send_subscribe.c:490
#1  0x00706bfa in run_trans_callbacks (type=256, trans=0xb61e1c28, req=0x0, rpl=0x81f5620, code=200) at t_hooks.c:208
#2  0x0071fdd1 in local_reply (t=0xb61e1c28, p_msg=0x81f5620, branch=0, msg_status=200, cancel_bitmap=0xbfe80e70) at t_reply.c:1264
#3  0x0072295e in reply_received (p_msg=0x81f5620) at t_reply.c:1405
#4  0x08064e0a in forward_reply (msg=0x81f5620) at forward.c:507

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2530958&group_id=232389

More information about the Devel mailing list