Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#96 Crash in dialog module+patch

trunk
closed-fixed
modules (454)
9
2009-02-26
2009-02-24
Vasil Kolev
No

When using the dialog module with realtime db usage, it crashes with the following backtrace:

(gdb) bt
#0 0xb77f9104 in update_dialog_dbinfo (cell=0xb57ba410) at dlg_db_handler.c:511
#1 0xb7800370 in dlg_onreply (t=0xb57b0db8, type=128, param=0xb78c1b34) at dlg_handlers.c:323
#2 0xb789d22b in run_trans_callbacks (type=128, trans=0xb57b0db8, req=0xb57bb6f0, rpl=0xffffffff, code=200) at t_hooks.c:208
#3 0xb78b2cf3 in _reply_light (trans=0xb57b0db8,
buf=0x819f428 "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 89.253.129.130:27819;branch=z9hG4bK-d8754z-cb4ec1c38ba46444-1---d8754z-;rport=27819\r\nTo: <sip:vasil.kolev%40securax.org@sip.zoiper.com;transport=UDP>;tag=945b7285134e5"..., len=<value optimized out>, code=200, to_tag=0xb78d2a40 "945b7285134e5709ca8a0d8ffb065070-ab6d", to_tag_len=37, lock=1, bm=0xbfd0106c) at t_reply.c:373
#4 0xb78b3425 in _reply (trans=0xb57b0db8, p_msg=<value optimized out>, code=200, text=0xb77a4b08, lock=1) at t_reply.c:446
#5 0xb78a75ba in w_t_reply (msg=0x819dfb0, str1=0xc8 <Address 0xc8 out of bounds>, str2=0xb77a4b08 ">\az�\002") at tm.c:863
#6 0xb7d5beba in sig_send_reply_mod (msg=0x819dfb0, code=200, reason=0xb77a4b08, to_tag=0xbfd012f8) at signaling.c:178
#7 0xb779708a in send_2XX_reply (msg=0x819dfb0, reply_code=200, lexpire=<value optimized out>, rtag=0xbfd012f8, local_contact=0xbfd01324) at subscribe.c:112
#8 0xb7797d72 in update_subscription (msg=0x819dfb0, subs=0xbfd012c4, init_req=1) at subscribe.c:378
#9 0xb779c72b in handle_subscribe (msg=0x819dfb0, str1=0x0, str2=0x0) at subscribe.c:699
#10 0x08055591 in do_action (a=0x8196618, msg=0x819dfb0) at action.c:961
#11 0x080541e2 in run_action_list (a=0x8196618, msg=0x819dfb0) at action.c:139
#12 0x08056ecd in do_action (a=0x8197550, msg=0x819dfb0) at action.c:705
#13 0x080541e2 in run_action_list (a=0x8197550, msg=0x819dfb0) at action.c:139
#14 0x08057529 in do_action (a=0x81975b8, msg=0x819dfb0) at action.c:711
#15 0x080541e2 in run_action_list (a=0x81960a8, msg=0x819dfb0) at action.c:139
#16 0x08056914 in do_action (a=0x81934e0, msg=0x819dfb0) at action.c:119
#17 0x080541e2 in run_action_list (a=0x81934e0, msg=0x819dfb0) at action.c:139
#18 0x08056ecd in do_action (a=0x8193548, msg=0x819dfb0) at action.c:705
#19 0x080541e2 in run_action_list (a=0x818e390, msg=0x819dfb0) at action.c:139
#20 0x08057ee1 in run_top_route (a=0x818e390, msg=0x819dfb0) at action.c:119
#21 0x0809228c in receive_msg (
buf=0x8164220 "SUBSCRIBE sip:vasil.kolev%40securax.org@sip.zoiper.com;transport=UDP SIP/2.0\r\nVia: SIP/2.0/UDP 89.253.129.130:27819;branch=z9hG4bK-d8754z-cb4ec1c38ba46444-1---d8754z-;rport\r\nMax-Forwards: 69\r\nContact:"..., len=933, rcv_info=0xbfd020a4) at receive.c:165
#22 0x080cdf4b in udp_rcv_loop () at udp_server.c:449
#23 0x0806c3af in main (argc=1, argv=0xbfd02234) at main.c:778

When investigating it, turned out that cell->bind_addr[DLG_CALLEE_LEG] is NULL, and while trying to dereference that to get the sock_str, it crashes. I added a check and a specific str null_element to update it right.

Also, there was a strange typo in the LM_DBG there, it was using the value from the cell->bind_addr[DLG_CALLEE_LEG]->sock_str, but the length from cell->bind_addr[DLG_CALLER_LEG]->sock_str.

Patch attached (against trunk).

Discussion

  • Vasil Kolev
    Vasil Kolev
    2009-02-24

     
    Attachments
    • priority: 5 --> 9
    • assigned_to: nobody --> bogdan_iancu
    • status: open --> open-accepted
     
  • Hi Vasil,

    it seams like a bug - I will review the patch and apply it asap.

    Thanks and regards,
    Bogdan

     
    • status: open-accepted --> closed-fixed
     
  • Hi Vasil,

    I commited the fix (1.4 + 1.5 versions)- the same fix had to be applied in a similar other place.

    Thanks & Regards,
    Bogdan