Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#86 [trunk/r5254] crash in dialog/

trunk
closed-fixed
modules (454)
9
2009-02-09
2009-02-06
Anonymous
No

(from vasil.kolev@attractel.com)

Turns out that you can pass rpl == FAKED_REPLY (which is -1) to dlg_onreply(), which will in turn try to dereference it and crash. This fixes it for me, if you're interested, I can reproduce the core dump.

This happens when testing presence and related stuff.

--- modules/dialog/dlg_handlers.c (revision 5254)
+++ modules/dialog/dlg_handlers.c (working copy)
@@ -288,24 +288,29 @@
LM_DBG("dialog %p confirmed\n",dlg);

/* get to tag*/
- if ( !rpl->to && ((parse_headers(rpl, HDR_TO_F,0)<0) || !rpl->to) ) {
- LM_ERR("bad reply or missing TO hdr :-/\n");
- tag.s = 0;
- tag.len = 0;
- } else {
- tag = get_to(rpl)->tag_value;
- if (tag.s==0 || tag.len==0) {
- LM_ERR("missing TAG param in TO hdr :-/\n");
+ if ( rpl != FAKED_REPLY){
+ if ( !rpl->to && ((parse_headers(rpl, HDR_TO_F,0)<0) || !rpl->to) ) {
+ LM_ERR("bad reply or missing TO hdr :-/\n");
tag.s = 0;
tag.len = 0;
+ } else {
+ tag = get_to(rpl)->tag_value;
+ if (tag.s==0 || tag.len==0) {
+ LM_ERR("missing TAG param in TO hdr :-/\n");
+ tag.s = 0;
+ tag.len = 0;
+ }
}
+ /* save callee's tag, cseq, contact and record route*/
+ if (populate_leg_info( dlg, rpl, t, DLG_CALLEE_LEG, &tag) !=0) {
+ LM_ERR("could not add further info to the dialog\n");
+ }
+ } else {
+ LM_DBG("FAKED_REPLY detected\n");
+ tag.s = 0;
+ tag.len = 0;
}

- /* save callee's tag, cseq, contact and record route*/
- if (populate_leg_info( dlg, rpl, t, DLG_CALLEE_LEG, &tag) !=0) {
- LM_ERR("could not add further info to the dialog\n");
- }
-
/* set start time */
dlg->start_ts = (unsigned int)(time(0));

Discussion

    • milestone: --> trunk
    • priority: 5 --> 9
    • assigned_to: nobody --> bogdan_iancu
    • status: open --> open-accepted
     
  • Hi Vasil,

    That is totally correct - thank you for the report and fix. I already applied it on SVN (1.4 and 1.5/head).

    Best regards,
    Bogdan

     
    • status: open-accepted --> closed-fixed