[OpenSIPS-Devel] [opensips] msg_translator.c:1539 -- segfault due to invalid offset (#155)

Stéphane Alnet notifications at github.com
Sat Jan 4 10:12:35 CET 2014 

    (gdb) up
    #1  0x000000000043e344 in build_req_buf_from_sip_req (
        msg=msg at entry=0x7f6107e03660, 
        returned_len=returned_len at entry=0x7fff7e5ac434, 
        send_sock=send_sock at entry=0x7f6107dec340, proto=<optimized out>, 
        flags=flags at entry=1) at msg_translator.c:1539
    1539	in msg_translator.c

    (gdb) print len
    $36 = 617
    (gdb) print s_offset
    $37 = 662
    (gdb) print offset
    $38 = 582

So `s_offset` is 45 bytes past `len`. I checked and `len` properly points to the last char (`\0`) in `msg->buf`.

Looking right before line 1539:

    (gdb) print msg->first_line.u.request.uri.s-buf
    $7 = 4

OK, that's a BYE, so 4.

    (gdb) print msg->first_line.u.request.uri.len
    $14 = 46

At that point `s_offset` should be 50, correct?

    (gdb) print buf+50
    $18 = 0x78e4b2 <buf.7798+50> " SIP/2.0\r\nFrom: <sip:(removed)

Hmmm, not sure if that's what's expected.

Now, looking into `process_lumps`:

    (gdb) print msg->body_lumps
    $1 = (struct lump *) 0x0

OK, can skip that one I assume? For `add_rm`:

    (gdb) print *(msg->add_rm)
    $2 = {type = HDR_VIA_T, op = LUMP_NOP, u = {offset = 286, subst = 286, 
        cond = 286, value = 0x11e <Address 0x11e out of bounds>}, len = 0, 
      before = 0x7f6107e04a30, after = 0x0, next = 0x7f6107e04530, 
      flags = LUMPFLAG_BRANCH}
    (gdb) print *(msg->add_rm->before)
    $3 = {type = HDR_VIA_T, op = LUMP_ADD, u = {offset = 132139392, 
        subst = 132139392, cond = 132139392, 
        value = 0x7f6107e04980 "Via: SIP/2.0/UDP (removed):5060;branch=z9hG4bKe234.19887526.0\r\n"},
      len = 66, before = 0x0, after = 0x0, 
      next = 0x0, flags = LUMPFLAG_BRANCH}

    (gdb) print *(msg->add_rm->next)
    $30 = {type = HDR_OTHER_T, op = LUMP_DEL, u = {offset = 530, 
        subst = 530, cond = 530, 
        value = 0x212 <Address 0x212 out of bounds>}, len = 66, 
      before = 0x0, after = 0x0, next = 0x7f6107e04700, 
      flags = LUMPFLAG_NONE}

    (gdb) print *(msg->add_rm->next->next)
    $31 = {type = HDR_ROUTE_T, op = LUMP_DEL, u = {offset = 530, 
        subst = 530, cond = 530, 
        value = 0x212 <Address 0x212 out of bounds>}, len = 66, 
      before = 0x0, after = 0x0, next = 0x0, flags = LUMPFLAG_NONE}




---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/issues/155#issuecomment-31574619
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20140104/156b9999/attachment.htm>

More information about the Devel mailing list