[OpenSIPS-Devel] [ opensips-Bugs-3033111 ] pua_dialoginfo crashes when using calle?_spec_param

Thu Jul 22 17:29:33 CEST 2010

Bugs item #3033111, was opened at 2010-07-22 17:29
Message generated for change (Tracker Item Submitted) made by viraptor
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3033111&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Stanislaw Pitucha (viraptor)
Assigned to: Nobody/Anonymous (nobody)
Summary: pua_dialoginfo crashes when using calle?_spec_param

Initial Comment:
If I try to use own parameters, I'm get the following log (starts at assigning to spec_param, then dialoginfo_set("B")):

Jul 22 16:22:37 v-test-sip-1 opensips[15132]: DBG:core:pv_get_xto_attr: no Display name 
Jul 22 16:22:37 v-test-sip-1 opensips[15132]: DBG:core:dialoginfo_set: new INVITE dialog created: from=sip:2433237 at devsip.gradwell.net 
Jul 22 16:22:37 v-test-sip-1 opensips[15132]: DBG:core:parse_to: spitting out [2] in status 2 
Jul 22 16:22:37 v-test-sip-1 opensips[15132]: DBG:core:dialoginfo_set: caller: ""2433237"" <sip:2433237 at devsip.gradwell.net>^M - len= 47 
Jul 22 16:22:37 v-test-sip-1 opensips[15132]: DBG:core:new_dlg_val: inserting <dlg_entity>=<""2433237"" <sip:2433237 at devsip.gradwell.net>^M > 
Jul 22 16:22:37 v-test-sip-1 opensips[15132]: DBG:core:dialoginfo_set: Peer uri = " <sip:2433238 at devsip.gradwell.net>^M  
Jul 22 16:22:37 v-test-sip-1 opensips[15132]: ERROR:core:parse_to: unexpected char [^M] in status 1: <<" <sip:2433238 at devsip.gradwell.net>>> . 
Jul 22 16:22:37 v-test-sip-1 opensips[15132]: DBG:core:new_dlg_val: inserting <dlg_peer>=<" <sip:2433238 at devsip.gradwell.net>^M > 
Jul 22 16:22:37 v-test-sip-1 opensips[15132]: DBG:core:new_dlg_val: inserting <dlginfo_flag>=<B> 
Jul 22 16:22:37 v-test-sip-1 opensips[15134]: DBG:core:utimer_routine: timer routine:4,tl=0xb01b0bd0 next=(nil), timeout=137900000 
Jul 22 16:22:37 v-test-sip-1 opensips[15134]: DBG:core:utimer_routine: timer routine:4,tl=0xb01b3414 next=0xb01acb68, timeout=138000000 
Jul 22 16:22:37 v-test-sip-1 opensips[15134]: DBG:core:utimer_routine: timer routine:4,tl=0xb01acb68 next=(nil), timeout=138000000 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: INFO:core:handle_sigs: child process 15132 exited by a signal 11 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: INFO:core:handle_sigs: core was generated 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: INFO:core:handle_sigs: terminating due to SIGCHLD 
Jul 22 16:22:38 v-test-sip-1 opensips[15139]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15138]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15137]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15136]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15134]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15133]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15130]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15129]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15135]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15131]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15140]: INFO:core:sig_usr: signal 15 received 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:destroy: destroying module ... 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: INFO:core:pike_exit: destroying... 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:destroy: destroying module ... 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:destroy: destroying module ... 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:print_ua_pres:   pres_uri= sip:2433237 at devsip.gradwell.net   len= 31 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:print_ua_pres:   etag= a.1279803218.13090.9.17 - len= 23 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:print_ua_pres:   id= DIALOG_PUBLISH 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:print_ua_pres:   expires= 3599 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:db_update: -------- 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:db_update: UPDATEDB_FLAG 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:db_update: Updating:n_query_update= 3    n_update_cols= 4 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:pool_remove: connection still kept in the pool 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:destroy: start 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: DBG:core:pool_remove: connection still kept in the pool 
Jul 22 16:22:38 v-test-sip-1 opensips[15128]: NOTICE:core:destroy: destroy module ...

It seems to be some kind of memory corruption, because the stack is destroyed and entity somehow was dereferenced on line 253, even though it's NULL:

#0  0x001b43b8 in build_dialoginfo (state=0x100a0 <Address 0x100a0 out of bounds>, entity=0x0, peer=0x24880000, callid=0xeb7811d4, initiator=2296119297, localtag=0x48d0063, remotetag=0x1ff43733) at dialog_publish.c:255
255					memcpy(buf, entity->display.s+1, entity->display.len-2);
(gdb) bt
#0  0x001b43b8 in build_dialoginfo (state=0x100a0 <Address 0x100a0 out of bounds>, entity=0x0, peer=0x24880000, callid=0xeb7811d4, initiator=2296119297, localtag=0x48d0063, remotetag=0x1ff43733) at dialog_publish.c:255
#1  0x77b40063 in ?? ()
#2  0x000100a0 in ?? ()
#3  0x00000000 in ?? ()
(gdb) list
250							entity->display.s, MAX_URI_SIZE);
251					return NULL;
252				}
253				if(entity->display.s[0] == '"')
254				{
255					memcpy(buf, entity->display.s+1, entity->display.len-2);
256					buf[entity->display.len-2] = '\0';
257				}
258				else
259				{

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3033111&group_id=232389