[OpenSIPS-Devel] [ opensips-Bugs-2495521 ] [seas] no check for write overflow in msg_encode

SourceForge.net noreply at sourceforge.net
Wed Sep 30 14:16:24 CEST 2009


Bugs item #2495521, was opened at 2009-01-09 13:07
Message generated for change (Settings changed) made by bogdan_iancu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2495521&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
Status: Open
Resolution: Postponed
>Priority: 2
Private: No
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Sergio Gutierrez (saguti)
Summary: [seas] no check for write overflow in msg_encode

Initial Comment:
Hi,
I'm integrating Opensips 1.4.3-tls (integrated with WeSip to use Java Sip Servlet) with Microsoft OCS 2007.
When I receive a NOTIFY from OCS or sometimes a 200 OK with an XML Payload I experience an error that makes OpenSips and my SIP Servlet stop to work.

I found on internet someone that seems to have a similar problem (but use a different version of OpenSips), here is the link to the discussion:
http://www.mail-archive.com/devel@lists.opensips.org/msg00007.html

Below you can find the OpenSips log:

Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20345]: NOTICE:presence:child_init: init_child [4]  pid [20345] 
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20356]: NOTICE:presence:child_init: init_child [5]  pid [20356] 
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20347]: NOTICE:presence:child_init: init_child [-1]  pid [20347] 
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20343]: NOTICE:presence:child_init: init_child [3]  pid [20343] 
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20358]: NOTICE:presence:child_init: init_child [6]  pid [20358] 
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20359]: NOTICE:presence:child_init: init_child [7]  pid [20359] 
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20362]: NOTICE:presence:child_init: init_child [8]  pid [20362] 
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20367]: NOTICE:presence:child_init: init_child [-4]  pid [20367] 
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20330]: NOTICE:presence:child_init: init_child [0]  pid [20330] 
Feb 14 16:30:59 asterisk /product/opensips/sbin/opensips[20340]: INFO:seas:dispatcher_main_loop: polling [2 ServSock] [1 pipe] [1 App Servers] [0 Uncomplete AS] 
Feb 14 16:31:34 asterisk last message repeated 4 times
Feb 14 16:33:05 asterisk last message repeated 12 times
Feb 14 16:33:22 asterisk last message repeated 4 times
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20367]: CRITICAL:core:receive_fd: EOF on 18 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20330]: INFO:core:handle_sigs: child process 20356 exited by a signal 11 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20330]: INFO:core:handle_sigs: core was generated 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20330]: INFO:core:handle_sigs: terminating due to SIGCHLD 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20367]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20347]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20362]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20359]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20358]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20354]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20346]: INFO:seas:seas_sighandler: INFO: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20345]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20343]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20341]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20338]: INFO:core:sig_usr: signal 15 received 
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20340]: INFO:seas:seas_sighandler: INFO: signal 15 received 
Feb 14 16:33:26 asterisk /product/opensips/sbin/opensips[20346]: INFO:seas:seas_sighandler: [shootist] Action dispatcher exiting 
Feb 14 16:33:26 asterisk /product/opensips/sbin/opensips[20330]: NOTICE:presence:destroy: destroy module ... 



----------------------------------------------------------------------

Comment By: Sergio Gutierrez (saguti)
Date: 2009-03-24 12:30

Message:
Hello.

Fix is available at OpenSIPS 1.4.5 and OpenSIPS 1.5.0. You can try both of
them.

We are still working on definitive fix; please stay tune.

Regards.

Sergio

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2009-03-24 11:26

Message:
Send me the work around to try.
For testing let me know when the complete fix will be available

----------------------------------------------------------------------

Comment By: Sergio Gutierrez (saguti)
Date: 2009-03-21 22:55

Message:
Hello Antonio.

As fixing of this bug is not trivial, and it involves a complex rework of
module, I released a temporary workaround increasing statically the buffer
size, but a complete fix would be released after testing, in next
development release of OpenSIPS (After 1.5), so I will change the status of
this report to postponed.

If it is possible, we would like to count with your help for testing the
complete fix.

Thanks and regards.

Sergio G.

----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2009-03-13 12:29

Message:
Antonio,

Sergio is currently working on a fix for this - unfortunately, a proper
fix is not trivial, but it will be done till the 1.5 release, next week.

Regards,
Bogdan

----------------------------------------------------------------------

Comment By: Sergio Gutierrez (saguti)
Date: 2009-03-13 12:29

Message:
Hello Antonio.

Currently we are working on a patch for this. Please give us some time,
and we will have some news for you.

Regards.

Sergio

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2009-03-13 12:14

Message:
There are any news from this point?
Thank in advance 
Antonio

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2009-01-15 23:28

Message:
I went deeper in the analysis and I find out that the problem was that the
SIP message is too long and makes Seas crash.

I found the parameter ENCODED_MSG_SIZE in "seas.h" that is set to 3200 by
default.
Setting this parameter to a larger value it seems that all is going fine.

It seems not a good behavior that the OpenSips server crash with this kind
of messages.
Is it possible to release a patch that fix this or for example makes the
maximum size of the payload configurable from the opensips configuration
file?

Thanks in advance,
Antonio

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2009-01-09 17:06

Message:
Core Dump and Backtrace below:

GNU gdb Red Hat Linux (6.3.0.0-1.143.el4rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host
libthread_db library "/lib/tls/libthread_db.so.1".

Core was generated by `./opensips -P /var/run/opensips.pid'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libssl.so.4...done.
Loaded symbols for /lib/libssl.so.4
Reading symbols from /lib/libcrypto.so.4...done.
Loaded symbols for /lib/libcrypto.so.4
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/lib/libgssapi_krb5.so.2...done.
Loaded symbols for /usr/lib/libgssapi_krb5.so.2
Reading symbols from /usr/lib/libkrb5.so.3...done.
Loaded symbols for /usr/lib/libkrb5.so.3
Reading symbols from /lib/libcom_err.so.2...done.
Loaded symbols for /lib/libcom_err.so.2
Reading symbols from /usr/lib/libk5crypto.so.3...done.
Loaded symbols for /usr/lib/libk5crypto.so.3
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from
/product/opensips/lib/opensips/modules/db_mysql.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/db_mysql.so
Reading symbols from /usr/lib/mysql/libmysqlclient.so.14...done.
Loaded symbols for /usr/lib/mysql/libmysqlclient.so.14
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/tls/libm.so.6...done.
Loaded symbols for /lib/tls/libm.so.6
Reading symbols from /product/opensips/lib/opensips/modules/sl.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/sl.so
Reading symbols from /product/opensips/lib/opensips/modules/tm.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/tm.so
Reading symbols from /product/opensips/lib/opensips/modules/rr.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/rr.so
Reading symbols from
/product/opensips/lib/opensips/modules/maxfwd.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/maxfwd.so
Reading symbols from
/product/opensips/lib/opensips/modules/usrloc.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/usrloc.so
Reading symbols from
/product/opensips/lib/opensips/modules/registrar.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/registrar.so
Reading symbols from
/product/opensips/lib/opensips/modules/textops.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/textops.so
Reading symbols from
/product/opensips/lib/opensips/modules/mi_fifo.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/mi_fifo.so
Reading symbols from
/product/opensips/lib/opensips/modules/uri_db.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/uri_db.so
Reading symbols from
/product/opensips/lib/opensips/modules/uri.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/uri.so
Reading symbols from
/product/opensips/lib/opensips/modules/xlog.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/xlog.so
Reading symbols from
/product/opensips/lib/opensips/modules/acc.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/acc.so
Reading symbols from
/product/opensips/lib/opensips/modules/seas.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/seas.so
Reading symbols from
/product/opensips/lib/opensips/modules/auth.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/auth.so
Reading symbols from
/product/opensips/lib/opensips/modules/auth_db.so...done.
Loaded symbols for /product/opensips//lib/opensips/modules/auth_db.so
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x080d4921 in fm_malloc (qm=0xb5f26000, size=3656) at
mem/f_malloc.c:267
267                             if ((*f)->size>=size) goto found;
(gdb) bt
#0  0x080d4921 in fm_malloc (qm=0xb5f26000, size=3656) at
mem/f_malloc.c:267
#1  0x007d326a in build_cell (p_msg=0x81af168) at ../../mem/shm_mem.h:202
#2  0x007eea86 in t_newtran (p_msg=0x81af168) at t_lookup.c:1000
#3  0x0073336c in w_as_relay_t (msg=0x81af168, entry=0xb60c3b18
"Ø;\f¶\b", foo=0x0) at seas.c:248
#4  0x08055183 in do_action (a=0x8199548, msg=0x81af168) at action.c:845
#5  0x08056d7a in run_action_list (a=0x8199548, msg=0x81af168) at
action.c:138
#6  0x0809e7d1 in eval_expr (e=0x81995b0, msg=0x81af168, val=0x0) at
route.c:1104
#7  0x0809ea35 in eval_expr (e=0x81995d8, msg=0x81af168, val=0x0) at
route.c:1417
#8  0x0809e390 in eval_expr (e=0x8199600, msg=0x81af168, val=0x0) at
route.c:1422
#9  0x0805457e in do_action (a=0x8199828, msg=0x81af168) at action.c:700
#10 0x08056d7a in run_action_list (a=0x81993d0, msg=0x81af168) at
action.c:138
#11 0x080568e6 in do_action (a=0x8199980, msg=0x81af168) at action.c:717
#12 0x08056d7a in run_action_list (a=0x8199980, msg=0x81af168) at
action.c:138
#13 0x08057082 in run_top_route (a=0x8199980, msg=0x81af168) at
action.c:118
#14 0x080910c8 in receive_msg (
    buf=0xb60c78a4 "BENOTIFY
sip:192.168.5.59:44764;transport=tcp;AppId=.sip2msipGW;ms-received-cid=DC00
SIP/2.0\r\nVia: SIP/2.0/TCP
192.168.71.68;branch=z9hG4bK32C47BE9.10786EAB;branched=FALSE\r\nAuthentication-Info:
NTLM r"..., len=2640, rcv_info=0xb60c7840) at receive.c:165
#15 0x080c0579 in tcp_read_req (con=0xb60c7830, bytes_read=0xbff5e6e4) at
tcp_read.c:544
#16 0x080c101c in handle_io (fm=Variable "fm" is not available.
) at tcp_read.c:812
#17 0x080c3371 in tcp_receive_loop (unix_sock=17) at io_wait.h:727
#18 0x080bead9 in tcp_init_children (chd_rank=0x815b4c0) at
tcp_main.c:1706
#19 0x0806bb50 in main (argc=3, argv=0xbff5ead4) at main.c:832


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=2495521&group_id=232389



More information about the Devel mailing list