[OpenSIPS-Devel] [ opensips-Bugs-3477675 ] Segfault in registrar module

SourceForge.net noreply at sourceforge.net
Mon Jan 23 12:39:46 CET 2012


Bugs item #3477675, was opened at 2012-01-23 03:20
Message generated for change (Comment added) made by vladut-paiu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3477675&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
Status: Open
>Resolution: Accepted
Priority: 5
Private: No
Submitted By: saghul (saghul)
>Assigned to: Vladut-Stefan Paiu (vladut-paiu)
Summary: Segfault in registrar module

Initial Comment:
Hi,

I run into the following crash on a system using trunk r8673:

#0  0xb7216bfa in calc_buf_len (c=0xaf773ce0) at reply.c:146
#1  build_contact (c=0xaf773ce0) at reply.c:215
#2  0xb721aae5 in add_contacts (_m=0x84eeb50, forced_binding=0x0, _d=0xaf710ebc "@\016q�", _f=0x0, _s=0x0) at save.c:678
#3  save_aux (_m=0x84eeb50, forced_binding=0x0, _d=0xaf710ebc "@\016q�", _f=0x0, _s=0x0) at save.c:800
#4  0xb721b347 in save (_m=0x84eeb50, _d=0xaf710ebc "@\016q�", _f=0x0, _s=0x0) at save.c:847
#5  0x0805a345 in do_action (a=0x843f0d0, msg=0x84eeb50) at action.c:1454

I inspected the trace and I saw that the ucontact struct (c) does have the instance field set, but the REGISTER didn't contain any GRUU. It actually contains the domain part of the AoR. 

It segfaults because the sock element of the structure is NULL and calc_buf_len assumes it's not in case instance is set, but how instance got set without a +sip.instance parameter in the Contact header eludes me.

I did try to reproduce this, but couldn't. It happened on a production server which I had to downgrade to avoid this.

I saved several coredumps exactly like this, so if more information is needed please let me know.


Thanks and regards,



----------------------------------------------------------------------

>Comment By: Vladut-Stefan Paiu (vladut-paiu)
Date: 2012-01-23 03:39

Message:
Hi Saúl,

Can you please provide the SIP trace for such a crash ?
Also, it would help if you could privately provide access to the core file
& OpenSIPS binary, so I can look through it.

I'm thinking that maybe there was an overflow that overwritten the
sip_instance pointer, but not sure until I can see more from gdb and
trace.

Regards,
Vlad

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3477675&group_id=232389



More information about the Devel mailing list