Menu
▾
▴
#576 Segfaults in dialog_update_db
dialog_update_db() is very crashy. It doesn't do any sanity checks on pointers and as a consequence crashes a lot.
I've seen at least 2 occasions at which is crashes:
1) Calling dlg_manage() on a non-invite message
2) Worse, on an invalid message. When a 200 OK is missing a contact header, I get error messages from populate_leg_info():
ERROR:dialog:populate_leg_info: bad sip message or missing Contact hdr
ERROR:dialog:dlg_onreply: could not add further info to the dialog
But afterwards dialog_update_db segfaults on an invalid bind_addr, from the backtrace:
(gdb) bt
#0 0xb783c41a in dialog_update_db (ticks=771000, param=0x0) at dlg_db_handler.c:629
#1 0x080a9726 in start_timer_processes () at timer.c:282
#2 0x08069b38 in main (argc=10, argv=0xbfc6f2d4) at main.c:816
Line 629 is for my version: SET_STR_VALUE(values+8, cell->bind_addr[DLG_CALLEE_LEG]->sock_str);
(gdb) bt full
<snip>
{type = DB_STR, nul = 0, free = -1282894544, val = {int_val = 178, ll_val = -5201380350948802382, double_val = -7.7990737395388139e-40, time_val = 178, string_val = 0xb2 "", str_val = {s = 0xb2 "", len = -1211040735}, blob_val = {s = 0xb2 "", len = -1211040735}, bitmap_val = 178}}
<snip>
Can you check latest svn? I added some safety checks ... still code to review, though...
I haven't had any crashes recently, so it seems fixed. I haven't, however, tried calling dlg_manage() on an INVITE anymore.