<p>I found a crashed OpenSIPS process with the following backtrace:</p>
<pre><code>(gdb) bt
#0 tcp_read_req (con=con@entry=0xa773e948, bytes_read=bytes_read@entry=0xbfb3b8cc) at tcp_read.c:711
#1 0x080e08a2 in handle_io (fm=0x99015c8, idx=idx@entry=-1, event_type=event_type@entry=1) at tcp_read.c:1036
#2 0x080e271c in io_wait_loop_epoll (repeat=<optimized out>, h=<optimized out>, t=<optimized out>)
at io_wait.h:867
#3 tcp_receive_loop (unix_sock=72) at tcp_read.c:1144
#4 0x080dc690 in tcp_init_children (chd_rank=chd_rank@entry=0x81e362c, startup_done=startup_done@entry=0x0)
at tcp_main.c:2378
#5 0x0805db02 in main_loop () at main.c:1011
#6 main (argc=11, argv=0xbfb3bbf4) at main.c:1612
</code></pre>
<p>I inspected the code and found a path which leads to the problem. If the code entered <a href="https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L704">this if</a> <code>req</code> points to freed memory, so <a href="https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L711">this</a> causes the crash.</p>
<p>I think we need to jump to <code>end_req</code> right after freeing the request, but I'm not that familiar with the code to provide a patch.</p>
<p>Something does look a bit strange to me: if <code>size</code> was 0 (which is the case), then <a href="https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L678-L695">this</a> code path was followed, which means <code>release_tcpconn</code> was called. But when <code>tcp_read_req</code> returns (if it does so with an error) <a href="https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L1036-L1045">this code</a> will call <code>release_tcpconn</code> again.</p>
<p>As a side note, <code>release_tcpconn</code> shoudl probably set the <code>fd</code> attribute on the connection to -1 after closing it <a href="https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L451">here</a>.</p>
<p>Unfortunately I cannot reproduce the issue, it's the first time I've seen it, and we've been running 1.11 in production on sip2sip.info for quite a while, always with async TCP enabled.</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href="https://github.com/OpenSIPS/opensips/issues/813">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AFOciZ5pqpqJTITiR70nHG2-XzS0A6E5ks5potsTgaJpZM4HlWvm.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
<link itemprop="url" href="https://github.com/OpenSIPS/opensips/issues/813"></link>
<meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>