#288 segfault in pua_dialoginfo module

1.6.x
closed-fixed
Anca Vamanu
modules (454)
8
2010-07-22
2010-05-11
No

Hello,
I have regularly segfaults in opensips 1.6 from svn (2:6840M) with presence enabled. The problem seems to happen when parsing a to header with parameters. Here is the backtrace:

#0 0x080d4fd5 in parse_to (buffer=0x819c9a0 "sip:2032@sipb01.proxy.com;user=phone\r\n", end=0x819c9c7 "", to_b=0xbfe176b8) at parser/parse_to.c:189
189 parser/parse_to.c: No such file or directory.
in parser/parse_to.c
(gdb) bt
#0 0x080d4fd5 in parse_to (buffer=0x819c9a0 "sip:2032@sipb01.proxy.com;user=phone\r\n", end=0x819c9c7 "", to_b=0xbfe176b8) at parser/parse_to.c:189
#1 0xb7995969 in __dialog_sendpublish (dlg=0xafa87fa8, type=32, _params=0xb7b52bc0) at pua_dialoginfo.c:303
#2 0xb7b37876 in run_dlg_callbacks (type=32, dlg=0xafa87fa8, msg=0x81990f4, dir=1, dlg_data=0x0) at dlg_cb.c:253
#3 0xb7b3d476 in dlg_onroute (req=0x81990f4, route_params=0xbfe17b80, param=0x0) at dlg_handlers.c:890
#4 0xb798e7e9 in run_rr_callbacks (req=0x81990f4, rr_params=0xb79913e4) at rr_cb.c:89
#5 0xb7988f52 in after_strict (_m=0x81990f4) at loose.c:734
#6 0xb798be25 in loose_route (_m=0x81990f4, _s1=0x0, _s2=0x0) at loose.c:919
#7 0x08055399 in do_action (a=0x8177710, msg=0x81990f4) at action.c:967
#8 0x08053ecf in run_action_list (a=0x8177710, msg=0x81990f4) at action.c:139
#9 0x080960ba in eval_expr (e=0x817777c, msg=0x81990f4, val=0x0) at route.c:1240
#10 0x08095ca9 in eval_expr (e=0x81777a8, msg=0x81990f4, val=0x0) at route.c:1561
#11 0x08055045 in do_action (a=0x8178618, msg=0x81990f4) at action.c:689
#12 0x08053ecf in run_action_list (a=0x81754ac, msg=0x81990f4) at action.c:139
#13 0x08057db9 in run_top_route (a=0x81754ac, msg=0x81990f4) at action.c:119
#14 0x0808af3c in receive_msg (
buf=0x8146500 "BYE sip:sipb01.proxy.com:5060;nat=yes;ftag=000c30708abe2cf008c97c56-050ad08e;lr=on;did=98.724cd671 SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.191:5060\r\nFrom: \"33581319702\" <sip:33581319702@sipb01.proxy.com"..., len=492, rcv_info=0xbfe18574) at receive.c:162
#15 0x080bd952 in udp_rcv_loop () at udp_server.c:492
#16 0x080693c9 in main (argc=9, argv=0xbfe186f4) at main.c:818

The segfault is generated by the following code in parser/parse_to.c (line 189) : add_param( param , to_b );
Looks like there is no memory allocated to receive the parameter.

Discussion

    • priority: 5 --> 8
     
  • Hello,

    I have attached a patch that seems to have solved my 2 most frequent opensips crash causes when using presence. (The patch contains also some code style corrections.)

    Regards,
    - vma
    .

     
  • Anca Vamanu
    Anca Vamanu
    2010-05-28

    • assigned_to: nobody --> anca_vamanu
     
  • Anca Vamanu
    Anca Vamanu
    2010-05-28

    Hi,

    Can you please point to me at which lines in the patch are the corrections? It is a very long patch with many stile corrections and hard to dig into it.

    Regards,
    Anca

     
  • Hi Anca,

    I have attached a simplified version (without style correction) of the patch. Basically, I have added a memset() call before each parse_to() in pua_dialoginfo.c and a null check for 'entity' and 'callid' variables in dialog_publish.c

    Hope this would help !

    Regards,
    - vma
    .

     
    • status: open --> closed-fixed
     
  • This was fixed by patch 3033002, thanks to Stanislaw Pitucha - see rev 7045 on 1.6 branch