[OpenSIPS-Devel] [ opensips-Bugs-2530958 ] Crash in pua/send_subscribe.c
SourceForge.net
noreply at sourceforge.net
Fri Jan 23 14:12:57 CET 2009
Bugs item #2530958, was opened at 2009-01-23 14:14
Message generated for change (Settings changed) made by anca_vamanu
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2530958&group_id=232389
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Norm Brandinger (norm_brandinger)
>Assigned to: Anca Vamanu (anca_vamanu)
Summary: Crash in pua/send_subscribe.c
Initial Comment:
Crash happened on the following line within pua/send_subscribe.c:
size= sizeof(ua_pres_t)+ 2*sizeof(str)+( pto->uri.len+
pfrom->uri.len+ pto->tag_value.len+ pfrom->tag_value.len
+msg->callid->body.len+ record_route.len+ hentity->contact.len+
hentity->id.len )*sizeof(char);
Because of the complexity of the statement, I rewrote it as shown below so that the offending variable could quickly be isolated.
size = sizeof(ua_pres_t);
size += (2*sizeof(str));
temp = pto->uri.len;
temp += pfrom->uri.len;
temp += pto->tag_value.len;
temp += pfrom->tag_value.len;
temp += msg->callid->body.len;
temp += record_route.len;
temp += hentity->contact.len;
temp += hentity->id.len;
temp = temp * sizeof(char);
size += temp;
The failure below shows that the crash happens while accessing pto->uri.len.
Program terminated with signal 11, Segmentation fault.
#0 0x004a3230 in subs_cback_func (t=0xb61557f0, cb_type=256, ps=0x38fc54) at send_subscribe.c:493
493 temp = pto->uri.len;
(gdb) bt
#0 0x004a3230 in subs_cback_func (t=0xb61557f0, cb_type=256, ps=0x38fc54) at send_subscribe.c:493
#1 0x00366bfa in run_trans_callbacks (type=256, trans=0xb61557f0, req=0x0, rpl=0x81f4bb0, code=200) at t_hooks.c:208
#2 0x0037fdd1 in local_reply (t=0xb61557f0, p_msg=0x81f4bb0, branch=0, msg_status=200, cancel_bitmap=0xbff32f10) at t_reply.c:1264
#3 0x0038295e in reply_received (p_msg=0x81f4bb0) at t_reply.c:1405
#4 0x08064e0a in forward_reply (msg=0x81f4bb0) at forward.c:507
For reference, the original code resulted in the following:
Program terminated with signal 11, Segmentation fault.
#0 0x00cfb234 in subs_cback_func (t=0xb61e1c28, cb_type=256, ps=0x72fc54) at send_subscribe.c:490
490 size= sizeof(ua_pres_t)+ 2*sizeof(str)+( pto->uri.len+
(gdb) bt
#0 0x00cfb234 in subs_cback_func (t=0xb61e1c28, cb_type=256, ps=0x72fc54) at send_subscribe.c:490
#1 0x00706bfa in run_trans_callbacks (type=256, trans=0xb61e1c28, req=0x0, rpl=0x81f5620, code=200) at t_hooks.c:208
#2 0x0071fdd1 in local_reply (t=0xb61e1c28, p_msg=0x81f5620, branch=0, msg_status=200, cancel_bitmap=0xbfe80e70) at t_reply.c:1264
#3 0x0072295e in reply_received (p_msg=0x81f5620) at t_reply.c:1405
#4 0x08064e0a in forward_reply (msg=0x81f5620) at forward.c:507
----------------------------------------------------------------------
>Comment By: Anca Vamanu (anca_vamanu)
Date: 2009-01-23 15:12
Message:
Hi Norm,
Thanks for your report. This happened because of an error case that was
not treated.
Please update from svn. If you see this problem again, reopen this
report.
regards,
Anca
----------------------------------------------------------------------
Comment By: Norm Brandinger (norm_brandinger)
Date: 2009-01-23 14:15
Message:
If needed, a debug=9 at the time of the failure is available privately.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2530958&group_id=232389
More information about the Devel
mailing list