[OpenSIPS-Devel] [ opensips-Bugs-3182319 ] segfault in codecs.c post 7589 patch

SourceForge.net noreply at sourceforge.net
Thu Jun 30 19:47:02 CEST 2011 

Bugs item #3182319, was opened at 2011-02-15 16:51
Message generated for change (Comment added) made by bogdan_iancu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3182319&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: None
>Status: Closed
>Resolution: Accepted
Priority: 7
Private: No
Submitted By: Robert Smith (denodaeus)
Assigned to: Bogdan-Andrei Iancu (bogdan_iancu)
Summary: segfault in codecs.c post 7589 patch

Initial Comment:
It seems like we're still segfaulting in codecs.c, although in a slightly different place, but still involving codec_delete_except_re:

We're currently seeing some crashing around the same area of code even after applying the patch fix from trunk (7589 patch):

#0  0x00002b5a5bbfa0f6 in stream_process (msg=0x7a2f38, str1=0x0, str2=0x0, re=0x7994e8, op=1, desc=3) at codecs.c:524
524					temp = payload->rtp_enc.s[payload->rtp_enc.len];
(gdb) list
519				match = 0;
520	
521				if( description == DESC_REGEXP ||description == DESC_REGEXP_COMPLEMENT )
522				{
523					/* try to match a regexp */
524					temp = payload->rtp_enc.s[payload->rtp_enc.len];
525					payload->rtp_enc.s[payload->rtp_enc.len] = 0;
526					match = regexec( re, payload->rtp_enc.s, 1, &pmatch, 0) == 0;
527					payload->rtp_enc.s[payload->rtp_enc.len] = temp;
528				}
(gdb) info locals
payload = 0x79d030
lmp = 0x7a6c58
depl = <value optimized out>
match = 8022576
cur = 0x1 <Address 0x1 out of bounds>
buff = 0x7a0e98 "pstn=500"
temp = -88 '\250'
ret = 0
i = <value optimized out>
pmatch = {rm_so = 5, rm_eo = 0}
__FUNCTION__ = "stream_process"


#0  0x00002b5a5bbfa0f6 in stream_process (msg=0x7a2f38, str1=0x0, str2=0x0, re=0x7994e8, op=1, desc=3) at codecs.c:524
        payload = 0x79d030
        lmp = 0x7a6c58
        depl = <value optimized out>
        match = 8022576
        cur = 0x1 <Address 0x1 out of bounds>
        buff = 0x7a0e98 "pstn=500"
        temp = -88 '\250'
        ret = 0
        i = <value optimized out>
        pmatch = {rm_so = 5, rm_eo = 0}
        __FUNCTION__ = "stream_process"
#1  do_for_all_streams (msg=0x7a2f38, str1=0x0, str2=0x0, re=0x7994e8, op=1, desc=3) at codecs.c:408
        cur_cell = 0x7a6a30
        cur_session = 0x79b7f0
        rez = <value optimized out>
        __FUNCTION__ = "do_for_all_streams"
#2  0x00002b5a5bbfa785 in codec_delete_except_re (msg=0x0, str1=0x7a6a30 "") at codecs.c:748
No locals.
#3  0x000000000040e978 in do_action (a=0x799828, msg=0x7a2f38) at action.c:1045
        val_s = {s = 0x6a <Address 0x6a out of bounds>, len = 331625791}
        aux = {s = 0x521b8f "", len = 5381007}
        ret = <value optimized out>
        v = <value optimized out>
        to = <value optimized out>
        p = <value optimized out>
        tmp = <value optimized out>
        new_uri = <value optimized out>
        end = <value optimized out>
        crt = <value optimized out>
        len = <value optimized out>

(gdb) print payload
$4 = (sdp_payload_attr_t *) 0x79d030
(gdb) print *payload
$5 = {next = 0x79a9e8, payload_num = 1, rtp_payload = {s = 0x7592d8 "8 18 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 P\r\na=nortpproxy:yes\r\n", len = 1}, rtp_enc = {s = 0x759303 "P\r\na=nortpproxy:yes\r\n", len = -7705347}, 
  rtp_clock = {s = 0x1 <Address 0x1 out of bounds>, len = 7705347}, rtp_params = {s = 0x0, len = 0}, sendrecv_mode = {s = 0x0, len = 0}, ptime = {s = 0x0, len = 0}, fmtp_string = {s = 0x0, len = 0}}
(gdb) print *payload->rtp_enc
Structure has no component named operator*.
(gdb) print payload->rtp_enc
$6 = {s = 0x759303 "P\r\na=nortpproxy:yes\r\n", len = -7705347}
(gdb) print payload->rtp_enc.s
$7 = 0x759303 "P\r\na=nortpproxy:yes\r\n"
(gdb) print payload->rtp_enc.s
$8 = 0x759303 "P\r\na=nortpproxy:yes\r\n"
(gdb) print rtp_enc.len
No symbol "rtp_enc" in current context.
(gdb) print payload->rtp_enc
$9 = {s = 0x759303 "P\r\na=nortpproxy:yes\r\n", len = -7705347}
(gdb) print payload->rtp_enc.len
$10 = -7705347
(gdb) 


I will comment that part of the SDP is truncated (the a=rtpmap P ends without MCA and clock), and it looks like the nortpproxy:yes string is appended after that with a crlf:

(gdb) print val_s.s
$12 = 0x759004 "973f4230367e88d0c06ccd6f70e8ed72 at 10.2.1.43\r\nCSeq: 32621 INVITE\r\nFrom: \"WASHINGTON   DC\" <sip:1234567890 at 10.2.1.43>;tag=3383745851297549218022\r\nTo: <sip:18042181197 at external.com>\r\nVia: SIP/2.0/UDP 4.2.2.3;branch=z9hG4bKf86.d04be483.0\r\nVia: SIP/2.0/UDP 10.2.1.43:5060;branch=z9hG4bK1735452086568519500666701297549218024\r\nMax-Forwards: 68\r\nContact: \"Foo\" <sip:1234567890 at 10.2.1.43:5060>;transport=udp\r\nContent-Type: application/sdp\r\nAllow: INVITE, OPTIONS, BYE, CANCEL, ACK, REFER, NOTIFY, INFO, PRACK\r\nUser-Agent: Foo/6.2.0.30\r\nContent-Length: 207\r\n\r\nv=0\r\no=Foo 1297549218020 1297549218020 IN IP4 10.2.1.43\r\ns=SIP Media Capabilities\r\nc=IN IP4 4.2.2.1\r\nt=0 0\r\nm=audio 25560 RTP/AVP 0 8 18 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 P\r\na=nortpproxy:yes\r\n"

----------------------------------------------------------------------

>Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2011-06-30 20:47

Message:
Merged into 3347257

----------------------------------------------------------------------

Comment By: Robert Smith (denodaeus)
Date: 2011-02-16 10:59

Message:
This seems to fix the problem for us:

*** codecs.c_orig       2011-02-16 03:56:03.000000000 -0500
--- codecs.c    2011-02-16 03:55:19.000000000 -0500
***************
*** 293,299 ****

                        if( payload->rtp_enc.s == NULL
                         || (payload->rtp_clock.s == NULL && ss != NULL)
!                        || payload->rtp_payload.s == NULL)
                        {
                                payload = payload->next;
                                continue;
--- 293,300 ----

                        if( payload->rtp_enc.s == NULL
                         || (payload->rtp_clock.s == NULL && ss != NULL)
!                        || payload->rtp_payload.s == NULL
!                        || payload->rtp_enc.len < 0)
                        {
                                payload = payload->next;
                                continue;


I can also send you the routing script privately, if I can get some info
on how to do so.  Thanks much.

----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2011-02-15 23:02

Message:
Hi Robert,

could you post your exact script also ? it is very important to where you
call the codec-related functions (in what type of route, etc).

Regards,
Bogdan

----------------------------------------------------------------------

Comment By: Robert Smith (denodaeus)
Date: 2011-02-15 22:13

Message:
I have a SIPP that can reproduce this 100% of the time, if calling the
codec_delete_except_re for (PCMU|PCMA|telephone-event).  Will attach the
file.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3182319&group_id=232389

More information about the Devel mailing list