#583 crash when Content-length too big

ver 1.5.x
open
nobody
None
5
2009-07-07
2009-07-07
Anonymous
No

Recently we encountered some crashes of kamailio 1.5.0 caused by messages with too big value of Content-length (more than 30000). When the parser in nathelper.c looks for old and new port it sometimes finds occurences after the real end of the message. Then the sanity check in del_lump() in data_lump.c finds that either offset or offset+len is greater than msg->len and calls abort().

Discussion

  • backtrack and contents of *msg

     
    Attachments
  • Klaus Darilion
    Klaus Darilion
    2009-07-08

    Which excat version are you using? There were some bugfixes recently.

     
  • 'kamailio -V' says 'kamailio 1.5.0-notls (x86_64/linux)'

     
  • This should be fixed in 1.5.2 and latest svn, have you tried the latest 1.5 svn branch?

     
  • Marcus Hunger
    Marcus Hunger
    2010-03-01

    I am afraid, this issue is not yet fixed. The latest release version (1.5.4-notls (i386/linux)) still produces:
    Mar 1 11:53:12 test02 /usr/sbin/kamailio[5173]: ERROR:core:anchor_lump: offset exceeds message size (1799 > 1783)...
    Mar 1 11:53:12 test02 /usr/sbin/kamailio[5173]: ERROR:nathelper:force_rtp_proxy: anchor_lump failed

    This is reproducible. I even experienced a crash:
    Feb 26 14:58:44 test02 /usr/sbin/kamailio[21020]: CRITICAL:core:del_lump: offset exceeds message size (1186 > 1132) aborting...

    To trigger this, one needs to send an invite with a content-length bigger than the actual content through force_rtp_proxy.

     
  • Marcus Hunger
    Marcus Hunger
    2010-03-01

    It seems that the ERROR is not really a problem, and the crash happened on 1.5.3.