[OpenSIPS-Devel] [ opensips-Bugs-2868113 ] crash in encode_contact

SourceForge.net noreply at sourceforge.net
Wed Sep 30 14:15:00 CEST 2009


Bugs item #2868113, was opened at 2009-09-27 17:04
Message generated for change (Settings changed) made by bogdan_iancu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2868113&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Sergey Okhapkin (sokhapkin)
Assigned to: Bogdan-Andrei Iancu (bogdan_iancu)
Summary: crash in encode_contact

Initial Comment:
if (is_method("INVITE")) {
       encode_contact("enc_prefix","IP.Add.re.ss");

leads to

CRITICAL:core:del_lump: offset exceeds message size (653092 > 1031) aborting...

----------------------------------------------------------------------

>Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2009-09-30 15:14

Message:
OK, I made a fix to detect such cases and to avoid the crash - you will get
an error message in the logs that you are doing something wrong in the
script.

Regards,
Bogdan

----------------------------------------------------------------------

Comment By: Sergey Okhapkin (sokhapkin)
Date: 2009-09-28 18:27

Message:
I agree with both sentences :-)

----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2009-09-28 17:57

Message:
actually is more a bug in your script - do you want to replace the contact
with the net ip (via fixed_nated_contact) or do you want to encode it?

Of course, whatever you want to do, it showed not crash opensips :D..

regards,
bogdan

----------------------------------------------------------------------

Comment By: Sergey Okhapkin (sokhapkin)
Date: 2009-09-28 16:44

Message:
Sounds like a bug in fix_nated_contact(), it shouldn't set c->uri.s
pointing outside msg->buf, the check for "fix_nated_contact twice" is just
a workaround for the bug.

----------------------------------------------------------------------

Comment By: Sergey Okhapkin (sokhapkin)
Date: 2009-09-28 16:33

Message:
Yes, I do... Nice catch...

----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2009-09-28 16:27

Message:
are you doing a fix_nated_contact() op before the mangling? 

Regards,
Bogdan

----------------------------------------------------------------------

Comment By: Sergey Okhapkin (sokhapkin)
Date: 2009-09-28 14:29

Message:
It's outside:

(gdb) fr 5
#5  0xb775b577 in encode_contact (msg=0x8237ecc, encoding_prefix=0x81fe644
"enc_prefix", public_ip=0x81fe6f4 "38.99.108.126")
    at contact_ops.c:99
99                                      if (patch (msg, uri.s, uri.len,
newUri.s, newUri.len) < 0)
(gdb) p msg->buf
$1 = 0x8199280 "INVITE sip:18004444444 at tf.callwithus.com:5070
SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2:5066;rport;branch=z9hG4bKtvuncyid\r\nMax-Forwards:
69\r\nProxy-Authorization: Digest
username=\"167147511\",realm=\"tf.call"...
(gdb) p msg->len
$2 = 1030
(gdb) p uri.s
$3 = 0x82389a4 "sip:7323775277 at 71.59.87.156:5066;transport=udp"

I'm getting error on the following event sequence: INVITE (without auth)
-> 407 -> INVITE (with auth).

----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2009-09-28 11:30

Message:
not really....The parser in OpenSIPS is keeping references inside the
buffer (for the parsed stuff), so the cb->contacts->uri.s should point
inside the buffer,

Try printing the following vals:
    msg->buf
    msg->len
    uri.s

Regards,
Bogdan

----------------------------------------------------------------------

Comment By: Sergey Okhapkin (sokhapkin)
Date: 2009-09-28 00:59

Message:
I found the root cause, functions patch and del_lump expect that patch()
parameter oldstr points into inside msg->buf, but in

cb = (contact_body_t *) msg->contact->parsed;
c = cb->contacts;
uri = c->uri;

uri.s is outside msg->buf


----------------------------------------------------------------------

Comment By: Sergey Okhapkin (sokhapkin)
Date: 2009-09-27 23:58

Message:
I can't reproduce it with a simple script. gdb shows

(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7e1c101 in raise () from /lib/libc.so.6
#2  0xb7e1d8e8 in abort () from /lib/libc.so.6
#3  0x08064589 in del_lump (msg=0x8237ecc, offset=653092, len=46,
type=HDR_OTHER_T) at data_lump.c:292
#4  0xb775ed64 in patch (msg=0x6, oldstr=0x82389a4
"sip:7323775277 at 71.59.87.156:5066;transport=udp", oldlen=46,
    newstr=0x823a36c
"sip:enc_prefix*7323775277**71.59.87.156*5066*udp at 38.99.108.126",
newlen=62) at utils.c:53
#5  0xb775b577 in encode_contact (msg=0x8237ecc, encoding_prefix=0x81fe644
"enc_prefix", public_ip=0x81fe6f4 "38.99.108.126")
    at contact_ops.c:99
#6  0x0805631d in do_action (a=0x81fe7a4, msg=0x8237ecc) at action.c:962
#7  0x080590b7 in run_action_list (a=0x81fe7a4, msg=0x8237ecc) at
action.c:139
#8  0x0805728c in do_action (a=0x82160ac, msg=0x8237ecc) at action.c:706
#9  0x080590b7 in run_action_list (a=0x81f8110, msg=0x8237ecc) at
action.c:139
#10 0x08059453 in run_top_route (a=0x81f8110, msg=0x8237ecc) at
action.c:119
#11 0x080a0cfa in receive_msg (
    buf=0x8199280 "INVITE sip:18004444444 at tf.callwithus.com:5070
SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2:5066;rport;branch=z9hG4bKtvuncyid\r\nMax-Forwards:
69\r\nProxy-Authorization: Digest
username=\"167147511\",realm=\"tf.call"..., len=1030,
    rcv_info=0xbfe40ae4) at receive.c:162
#12 0x080e8ebc in udp_rcv_loop () at udp_server.c:492
#13 0x08072c1b in main (argc=1, argv=0xbfe40ce4) at main.c:711


----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2009-09-27 23:35

Message:
Does this crash happens all the time? what is the way to reproduce it as I
tried a simple script but with no luck.

Also did you get a corefile after the crash?

Regards,
Bogdan

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2868113&group_id=232389



More information about the Devel mailing list