[OpenSIPS-Devel] [opensips] msg_translator.c:1539 -- segfault due to invalid offset (#155)
Stéphane Alnet
notifications at github.com
Sat Jan 4 10:12:35 CET 2014
(gdb) up
#1 0x000000000043e344 in build_req_buf_from_sip_req (
msg=msg at entry=0x7f6107e03660,
returned_len=returned_len at entry=0x7fff7e5ac434,
send_sock=send_sock at entry=0x7f6107dec340, proto=<optimized out>,
flags=flags at entry=1) at msg_translator.c:1539
1539 in msg_translator.c
(gdb) print len
$36 = 617
(gdb) print s_offset
$37 = 662
(gdb) print offset
$38 = 582
So `s_offset` is 45 bytes past `len`. I checked and `len` properly points to the last char (`\0`) in `msg->buf`.
Looking right before line 1539:
(gdb) print msg->first_line.u.request.uri.s-buf
$7 = 4
OK, that's a BYE, so 4.
(gdb) print msg->first_line.u.request.uri.len
$14 = 46
At that point `s_offset` should be 50, correct?
(gdb) print buf+50
$18 = 0x78e4b2 <buf.7798+50> " SIP/2.0\r\nFrom: <sip:(removed)
Hmmm, not sure if that's what's expected.
Now, looking into `process_lumps`:
(gdb) print msg->body_lumps
$1 = (struct lump *) 0x0
OK, can skip that one I assume? For `add_rm`:
(gdb) print *(msg->add_rm)
$2 = {type = HDR_VIA_T, op = LUMP_NOP, u = {offset = 286, subst = 286,
cond = 286, value = 0x11e <Address 0x11e out of bounds>}, len = 0,
before = 0x7f6107e04a30, after = 0x0, next = 0x7f6107e04530,
flags = LUMPFLAG_BRANCH}
(gdb) print *(msg->add_rm->before)
$3 = {type = HDR_VIA_T, op = LUMP_ADD, u = {offset = 132139392,
subst = 132139392, cond = 132139392,
value = 0x7f6107e04980 "Via: SIP/2.0/UDP (removed):5060;branch=z9hG4bKe234.19887526.0\r\n"},
len = 66, before = 0x0, after = 0x0,
next = 0x0, flags = LUMPFLAG_BRANCH}
(gdb) print *(msg->add_rm->next)
$30 = {type = HDR_OTHER_T, op = LUMP_DEL, u = {offset = 530,
subst = 530, cond = 530,
value = 0x212 <Address 0x212 out of bounds>}, len = 66,
before = 0x0, after = 0x0, next = 0x7f6107e04700,
flags = LUMPFLAG_NONE}
(gdb) print *(msg->add_rm->next->next)
$31 = {type = HDR_ROUTE_T, op = LUMP_DEL, u = {offset = 530,
subst = 530, cond = 530,
value = 0x212 <Address 0x212 out of bounds>}, len = 66,
before = 0x0, after = 0x0, next = 0x0, flags = LUMPFLAG_NONE}
---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/issues/155#issuecomment-31574619
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20140104/156b9999/attachment.htm>
More information about the Devel
mailing list