#420 Segmentation fault in push_reply_in_dialog

1.7.x
closed-out-of-date
core (110)
5
2015-04-07
2011-09-19
No

opensips-1.7.0 rev 8357
OS: centos 5.6 x86_64

I have Segmentation fault:
#0 0x00002ac79c880dd2 in push_reply_in_dialog (rpl=0x8229b0, t=0x2ac7a2e42b70, dlg=0x2ac7a2e42200, mangled_from=0x7fff31d9c940, mangled_to=0x7fff31d9c930) at dlg_handlers.c:350
350 if ( dlg->legs[leg].tag.len==tag.len &&

---
(gdb) bt
#0 0x00002ac79c880dd2 in push_reply_in_dialog (rpl=0x8229b0, t=0x2ac7a2e42b70, dlg=0x2ac7a2e42200, mangled_from=0x7fff31d9c940, mangled_to=0x7fff31d9c930) at dlg_handlers.c:350
#1 0x00002ac79c8822be in dlg_onreply (t=0x2ac7a2e42b70, type=<value optimized out>, param=<value optimized out>) at dlg_handlers.c:434
#2 0x00002ac79c42f54b in run_trans_callbacks (type=8, trans=0x2ac7a2e42b70, req=0x2ac7a3035fd8, rpl=0x8229b0, code=180) at t_hooks.c:212
#3 0x00002ac79c43c480 in relay_reply (t=0x2ac7a2e42b70, p_msg=0x8229b0, branch=1200, msg_status=180, cancel_bitmap=0x7fff31d9cc28) at t_reply.c:1166
#4 0x00002ac79c43caac in reply_received (p_msg=0x8229b0) at t_reply.c:1512
#5 0x00000000004222fd in forward_reply (msg=0x8229b0) at forward.c:568
#6 0x000000000044fb81 in receive_msg (
buf=0x753020 "SIP/2.0 180 Ringing\r\nVia: SIP/2.0/UDP x.x.x.x;branch=z9hG4bK258b.677fa944.0;i=481\r\nVia: SIP/2.0/TCP y.y.y.y:5060;received=y.y.y.y;branch=z9hG4bK-d8754z-d0ea2355dab67205-1---d8754z-;rpor"...,
len=878, rcv_info=0x7fff31d9cd70) at receive.c:203
#7 0x000000000048f698 in udp_rcv_loop () at udp_server.c:419
#8 0x000000000042a57c in main_loop (argc=<value optimized out>, argv=<value optimized out>) at main.c:885
#9 main (argc=<value optimized out>, argv=<value optimized out>) at main.c:1503

---

(gdb) bt full
#0 0x00002ac79c880dd2 in push_reply_in_dialog (rpl=0x8229b0, t=0x2ac7a2e42b70, dlg=0x2ac7a2e42200, mangled_from=0x7fff31d9c940, mangled_to=0x7fff31d9c930) at dlg_handlers.c:350
tag = {
s = 0x75322a "1174779552\r\nCall-ID: ZTMwNzdhN2M2YjA4ODM4MmRiYTJkOGQ1MDVmNzlhOTA.\r\nCSeq: 1 INVITE\r\nContact: <sip:manager2@89.31.18.41:1026>\r\nAllow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SU"..., len = 10}
contact = {s = 0x2ac7a3171158 "\330w", len = -1668799477}
rr_set = {s = 0x2 <Address 0x2 out of bounds>, len = -1558833544}
leg = 1
skip_rrs = <value optimized out>
__FUNCTION__ = "push_reply_in_dialog"
#1 0x00002ac79c8822be in dlg_onreply (t=0x2ac7a2e42b70, type=<value optimized out>, param=<value optimized out>) at dlg_handlers.c:434
rpl = 0x8229b0
req = 0x2ac7a3035fd8
dlg = 0x2ac7a2e42200
new_state = <value optimized out>
old_state = <value optimized out>
unref = <value optimized out>
event = <value optimized out>
mangled_from = {s = 0x0, len = 0}
mangled_to = {s = 0x0, len = 0}
req_out_buff = 0xb4
__FUNCTION__ = "dlg_onreply"
#2 0x00002ac79c42f54b in run_trans_callbacks (type=8, trans=0x2ac7a2e42b70, req=0x2ac7a3035fd8, rpl=0x8229b0, code=180) at t_hooks.c:212
params = {req = 0x2ac7a3035fd8, rpl = 0x8229b0, code = 180, param = 0x2ac7a2bc9930, extra1 = 0x0, extra2 = 0x0}
cbp = 0x2ac7a2bc9920
backup = 0x763030
trans_backup = 0x2ac7a2e42b70
__FUNCTION__ = "run_trans_callbacks"
#3 0x00002ac79c43c480 in relay_reply (t=0x2ac7a2e42b70, p_msg=0x8229b0, branch=1200, msg_status=180, cancel_bitmap=0x7fff31d9cc28) at t_reply.c:1166
relay = 1200
save_clone = 0
buf = <value optimized out>
res_len = 0
relayed_code = 180
relayed_msg = <value optimized out>
bm = {to_tag_val = {s = 0x1 <Address 0x1 out of bounds>, len = 8530352}}
totag_retr = <value optimized out>
reply_status = RPS_PROVISIONAL
uas_rb = 0x2ac7a2e42c70
cb_s = {s = 0x8229b0 "\002\002\061", len = 8108712}
text = {s = 0x8277a8 "\001", len = 878}
__FUNCTION__ = "relay_reply"
#4 0x00002ac79c43caac in reply_received (p_msg=0x8229b0) at t_reply.c:1512
msg_status = 180
last_uac_status = <value optimized out>
branch = 8587360
reply_status = <value optimized out>
timer = <value optimized out>
cancel_bitmap = 0
uac = 0x2ac7a2e42d48
t = 0x2ac7a2e42b70
backup_list = 0x0
__FUNCTION__ = "reply_received"
#5 0x00000000004222fd in forward_reply (msg=0x8229b0) at forward.c:568
new_buf = <value optimized out>
---Type <return> to continue, or q <return> to quit---
to = <value optimized out>
new_len = <value optimized out>
mod = 0x78b6a0
proto = <value optimized out>
id = <value optimized out>
send_sock = <value optimized out>
len = <value optimized out>
__FUNCTION__ = "forward_reply"
#6 0x000000000044fb81 in receive_msg (
buf=0x753020 "SIP/2.0 180 Ringing\r\nVia: SIP/2.0/UDP x.x.x.x;branch=z9hG4bK258b.677fa944.0;i=481\r\nVia: SIP/2.0/TCP y.y.y.y:5066;received=y.y.y.y;branch=z9hG4bK-d8754z-d0ea2355dab67205-1---d8754z-;rpor"...,
len=878, rcv_info=0x7fff31d9cd70) at receive.c:203
msg = 0x8229b0
start = {tv_sec = 808857653, tv_usec = 7859216}
__FUNCTION__ = "receive_msg"
#7 0x000000000048f698 in udp_rcv_loop () at udp_server.c:419
len = 878
tmp = 0x773c80 "89.31.18.41"
from = <value optimized out>
fromlen = 16
ri = {src_ip = {af = 2, len = 4, u = {addrl = {689053529, 11}, addr32 = {689053529, 0, 11, 0}, addr16 = {8025, 10514, 0, 0, 11, 0, 0, 0}, addr = "Y\037\022)\000\000\000\000\v\000\000\000\000\000\000"}}, dst_ip = {af = 2,
len = 4, u = {addrl = {3947911249, 0}, addr32 = {3947911249, 0, 0, 0}, addr16 = {22609, 60240, 0, 0, 0, 0, 0, 0}, addr = "QXP\353", '\000' <repeats 11 times>}}, src_port = 1026, dst_port = 5060, proto = 1,
proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 2, sa_data = "\004\002Y\037\022)\000\000\000\000\000\000\000"}, sin = {sin_family = 2, sin_port = 516, sin_addr = {s_addr = 689053529},
sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 516, sin6_flowinfo = 689053529, sin6_addr = {in6_u = {u6_addr8 = '\000' <repeats 15 times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0},
u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, bind_address = 0x77ec10}
p = 0x77e1b0
buf = "SIP/2.0 180 Ringing\r\nVia: SIP/2.0/UDP x.x.x.x;branch=z9hG4bK258b.677fa944.0;i=481\r\nVia: SIP/2.0/TCP y.y.y.y:5066;received=y.y.y.y;branch=z9hG4bK-d8754z-d0ea2355dab67205-1---d8754z-;rpor"...
__FUNCTION__ = "udp_rcv_loop"
#8 0x000000000042a57c in main_loop (argc=<value optimized out>, argv=<value optimized out>) at main.c:885
i = 0
pid = <value optimized out>
si = <value optimized out>
startup_done = 0x0
load_p = <value optimized out>
chd_rank = 4
__FUNCTION__ = "main_loop"
#9 main (argc=<value optimized out>, argv=<value optimized out>) at main.c:1503
cfg_log_stderr = <value optimized out>
cfg_stream = 0x75e65e0
c = <value optimized out>
r = <value optimized out>
tmp = 0x4e3eb7 "H\215\005Ba$"
tmp_len = <value optimized out>
port = 0
proto = <value optimized out>
ret = <value optimized out>
seed = 4171048114
rfd = <value optimized out>
__FUNCTION__ = "main"

Discussion

  • Vladut-Stefan Paiu

    Hello,

    In frame 0, can you please do
    p *dlg
    p leg
    p dlg->legs_no[0]
    p dlg->legs_no[1]

    and paste here the output ?

    Regards,
    Vlad

     
  • Sergey Lavrov

    Sergey Lavrov - 2011-09-20

    (gdb) frame 0
    #0 0x00002ac79c880dd2 in push_reply_in_dialog (rpl=0x8229b0, t=0x2ac7a2e42b70, dlg=0x2ac7a2e42200, mangled_from=0x7fff31d9c940, mangled_to=0x7fff31d9c930) at dlg_handlers.c:350
    350 if ( dlg->legs[leg].tag.len==tag.len &&
    (gdb) p *dlg
    $1 = {ref = 2, next = 0x0, prev = 0x0, h_id = 1446169044, h_entry = 2075, state = 2, lifetime = 43200, start_ts = 0, flags = 16, from_rr_nb = 0, user_flags = 0, tl = {next = 0x0, prev = 0x0, timeout = 0}, pl = 0x0, callid = {
    s = 0x2ac7a2e422b8 "ZTMwNzdhN2M2YjA4ODM4MmRiYTJkOGQ1MDVmNzlhOTA.sip:xxxx@x.x.x.x:5066sip:yyy@yyyyyyyyyForwards: 70\r\nReason: SIP;cause=487;text=ORIGINATOR_CANCEL\r\nUser-Agent: SIP Gateway\r\nCo"..., len = 44}, from_uri = {s = 0x2ac7a2e422e4 "sip:xxxx@x.x.x.x:5066sip:yyy@yyyyyyyyyForwards: 70\r\nReason: SIP;cause=487;text=ORIGINATOR_CANCEL\r\nUser-Agent: SIP Gateway\r\nContent-Length: 0\r\n\r\n",
    len = 33}, to_uri = {s = 0x2ac7a2e42305 "sip:yyy@yyyyyyyyyForwards: 70\r\nReason: SIP;cause=487;text=ORIGINATOR_CANCEL\r\nUser-Agent: SIP Gateway\r\nContent-Length: 0\r\n\r\n", len = 36}, legs = 0x0,
    legs_no = "\002\004\000", cbs = {first = 0x2ac7a2b4e628, types = 2184}, profile_links = 0x0, vals = 0x0}
    (gdb) p leg
    $2 = 1
    (gdb) p dlg->legs_no[0]
    $3 = 2 '\002'
    (gdb) p dlg->legs_no[1]
    $4 = 4 '\004'

     
  • Bogdan-Andrei Iancu

    • assigned_to: nobody --> vladut-paiu
     
  • Bogdan-Andrei Iancu

    • status: open --> closed-out-of-date
     

Log in to post a comment.