[OpenSIPS-Users] Possible crash in opensips 2.4
Vitalii Aleksandrov
vitalik.voip at gmail.com
Fri Jan 24 11:25:22 EST 2020
Yesterday I've mentioned that has reproduces one more crash.
Reverted my fix and wanted to reproduce the problem and create properly
filled crash report, but unfortunately failed. Can you just check the
part of code I've seen in core dumps?
fake_req() in modules/tm/t_msgbuilder.h clones sip_msg allocated in shm
and then substitutes some fields with pkg allocated copies.
Here is one of those copy operations:
if (uac->duri.s) {
faked_req->dst_uri.s = pkg_malloc(uac->duri.len);
if (!faked_req->dst_uri.s) {
LM_ERR("out of pkg mem\n");
goto out;
}
memcpy(faked_req->dst_uri.s, uac->duri.s, uac->duri.len);
}
Then free_faked_req() deletes those copies calling pkg_free():
if (faked_req->dst_uri.s) {
pkg_free(faked_req->dst_uri.s);
faked_req->dst_uri.s = NULL;
}
I've had crashes here and there and gdb showed corrupted or overwritten
memory chunks. After switching to QM_MALLOC and enabling DBG_MALLOC I've
got opensips aborted trying to call pkg_free()
for shm allocated memory. It somehow happened that fake_req() hasn't
allocated pkg copy for faked_req->dst_uri.s and it stayed pointing to
shm allocated chunk and then crashed in free_faked_req().
Have no idea why I can't reproduce it anymore. Remember that backtrace
had t_should_relay_responce()->do_dns_failover()->free_faked_req() and
it was a processing of 408 reply for BYE request.
The only thing I'm not sure about is whether I had it before or after
rebasing my code under the latest 2.4 with
cc62f7df728467b8144095767183fedfdf74be8d commit.
Maybe adding safety checks to fake_req() still makes sense to make look
like this:
if (uac->duri.s) {
faked_req->dst_uri.s = pkg_malloc(uac->duri.len);
if (!faked_req->dst_uri.s) {
LM_ERR("out of pkg mem\n");
goto out;
}
memcpy(faked_req->dst_uri.s, uac->duri.s, uac->duri.len);
} else {
faked_req->dst_uri.s = NULL; // <----
faked_req->dst_uri.len = 0; // <----
}
if (uac->path_vec.s) {
faked_req->path_vec.s = pkg_malloc(uac->path_vec.len);
if (!faked_req->path_vec.s) {
LM_ERR("out of pkg mem\n");
goto out2;
}
memcpy(faked_req->path_vec.s, uac->path_vec.s,
uac->path_vec.len);
} else {
faked_req->path_vec.s = NULL; // <---
faked_req->path_vec.len = 0; // <---
}
More information about the Users
mailing list