#73 [seas] no check for write overflow in msg_encode

trunk
closed-out-of-date
modules (454)
2
2015-04-06
2009-01-09
Anonymous
No

Hi,
I'm integrating Opensips 1.4.3-tls (integrated with WeSip to use Java Sip Servlet) with Microsoft OCS 2007.
When I receive a NOTIFY from OCS or sometimes a 200 OK with an XML Payload I experience an error that makes OpenSips and my SIP Servlet stop to work.

I found on internet someone that seems to have a similar problem (but use a different version of OpenSips), here is the link to the discussion:
http://www.mail-archive.com/devel@lists.opensips.org/msg00007.html

Below you can find the OpenSips log:

Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20345]: NOTICE:presence:child_init: init_child [4] pid [20345]
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20356]: NOTICE:presence:child_init: init_child [5] pid [20356]
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20347]: NOTICE:presence:child_init: init_child [-1] pid [20347]
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20343]: NOTICE:presence:child_init: init_child [3] pid [20343]
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20358]: NOTICE:presence:child_init: init_child [6] pid [20358]
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20359]: NOTICE:presence:child_init: init_child [7] pid [20359]
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20362]: NOTICE:presence:child_init: init_child [8] pid [20362]
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20367]: NOTICE:presence:child_init: init_child [-4] pid [20367]
Feb 14 16:27:33 asterisk /product/opensips/sbin/opensips[20330]: NOTICE:presence:child_init: init_child [0] pid [20330]
Feb 14 16:30:59 asterisk /product/opensips/sbin/opensips[20340]: INFO:seas:dispatcher_main_loop: polling [2 ServSock] [1 pipe] [1 App Servers] [0 Uncomplete AS]
Feb 14 16:31:34 asterisk last message repeated 4 times
Feb 14 16:33:05 asterisk last message repeated 12 times
Feb 14 16:33:22 asterisk last message repeated 4 times
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20367]: CRITICAL:core:receive_fd: EOF on 18
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20330]: INFO:core:handle_sigs: child process 20356 exited by a signal 11
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20330]: INFO:core:handle_sigs: core was generated
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20330]: INFO:core:handle_sigs: terminating due to SIGCHLD
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20367]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20347]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20362]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20359]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20358]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20354]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20346]: INFO:seas:seas_sighandler: INFO: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20345]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20343]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20341]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20338]: INFO:core:sig_usr: signal 15 received
Feb 14 16:33:23 asterisk /product/opensips/sbin/opensips[20340]: INFO:seas:seas_sighandler: INFO: signal 15 received
Feb 14 16:33:26 asterisk /product/opensips/sbin/opensips[20346]: INFO:seas:seas_sighandler: [shootist] Action dispatcher exiting
Feb 14 16:33:26 asterisk /product/opensips/sbin/opensips[20330]: NOTICE:presence:destroy: destroy module ...

Discussion

  • Nobody/Anonymous

    Core Dump and Backtrace below:

    GNU gdb Red Hat Linux (6.3.0.0-1.143.el4rh)
    Copyright 2004 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for details.
    This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

    Core was generated by `./opensips -P /var/run/opensips.pid'.
    Program terminated with signal 11, Segmentation fault.
    Reading symbols from /lib/libdl.so.2...done.
    Loaded symbols for /lib/libdl.so.2
    Reading symbols from /lib/libresolv.so.2...done.
    Loaded symbols for /lib/libresolv.so.2
    Reading symbols from /lib/libssl.so.4...done.
    Loaded symbols for /lib/libssl.so.4
    Reading symbols from /lib/libcrypto.so.4...done.
    Loaded symbols for /lib/libcrypto.so.4
    Reading symbols from /lib/tls/libc.so.6...done.
    Loaded symbols for /lib/tls/libc.so.6
    Reading symbols from /lib/ld-linux.so.2...done.
    Loaded symbols for /lib/ld-linux.so.2
    Reading symbols from /usr/lib/libgssapi_krb5.so.2...done.
    Loaded symbols for /usr/lib/libgssapi_krb5.so.2
    Reading symbols from /usr/lib/libkrb5.so.3...done.
    Loaded symbols for /usr/lib/libkrb5.so.3
    Reading symbols from /lib/libcom_err.so.2...done.
    Loaded symbols for /lib/libcom_err.so.2
    Reading symbols from /usr/lib/libk5crypto.so.3...done.
    Loaded symbols for /usr/lib/libk5crypto.so.3
    Reading symbols from /usr/lib/libz.so.1...done.
    Loaded symbols for /usr/lib/libz.so.1
    Reading symbols from /product/opensips/lib/opensips/modules/db_mysql.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/db_mysql.so
    Reading symbols from /usr/lib/mysql/libmysqlclient.so.14...done.
    Loaded symbols for /usr/lib/mysql/libmysqlclient.so.14
    Reading symbols from /lib/libcrypt.so.1...done.
    Loaded symbols for /lib/libcrypt.so.1
    Reading symbols from /lib/libnsl.so.1...done.
    Loaded symbols for /lib/libnsl.so.1
    Reading symbols from /lib/tls/libm.so.6...done.
    Loaded symbols for /lib/tls/libm.so.6
    Reading symbols from /product/opensips/lib/opensips/modules/sl.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/sl.so
    Reading symbols from /product/opensips/lib/opensips/modules/tm.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/tm.so
    Reading symbols from /product/opensips/lib/opensips/modules/rr.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/rr.so
    Reading symbols from /product/opensips/lib/opensips/modules/maxfwd.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/maxfwd.so
    Reading symbols from /product/opensips/lib/opensips/modules/usrloc.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/usrloc.so
    Reading symbols from /product/opensips/lib/opensips/modules/registrar.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/registrar.so
    Reading symbols from /product/opensips/lib/opensips/modules/textops.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/textops.so
    Reading symbols from /product/opensips/lib/opensips/modules/mi_fifo.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/mi_fifo.so
    Reading symbols from /product/opensips/lib/opensips/modules/uri_db.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/uri_db.so
    Reading symbols from /product/opensips/lib/opensips/modules/uri.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/uri.so
    Reading symbols from /product/opensips/lib/opensips/modules/xlog.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/xlog.so
    Reading symbols from /product/opensips/lib/opensips/modules/acc.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/acc.so
    Reading symbols from /product/opensips/lib/opensips/modules/seas.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/seas.so
    Reading symbols from /product/opensips/lib/opensips/modules/auth.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/auth.so
    Reading symbols from /product/opensips/lib/opensips/modules/auth_db.so...done.
    Loaded symbols for /product/opensips//lib/opensips/modules/auth_db.so
    Reading symbols from /lib/libnss_files.so.2...done.
    Loaded symbols for /lib/libnss_files.so.2
    #0 0x080d4921 in fm_malloc (qm=0xb5f26000, size=3656) at mem/f_malloc.c:267
    267 if ((*f)->size>=size) goto found;
    (gdb) bt
    #0 0x080d4921 in fm_malloc (qm=0xb5f26000, size=3656) at mem/f_malloc.c:267
    #1 0x007d326a in build_cell (p_msg=0x81af168) at ../../mem/shm_mem.h:202
    #2 0x007eea86 in t_newtran (p_msg=0x81af168) at t_lookup.c:1000
    #3 0x0073336c in w_as_relay_t (msg=0x81af168, entry=0xb60c3b18 "Ø;\f¶\b", foo=0x0) at seas.c:248
    #4 0x08055183 in do_action (a=0x8199548, msg=0x81af168) at action.c:845
    #5 0x08056d7a in run_action_list (a=0x8199548, msg=0x81af168) at action.c:138
    #6 0x0809e7d1 in eval_expr (e=0x81995b0, msg=0x81af168, val=0x0) at route.c:1104
    #7 0x0809ea35 in eval_expr (e=0x81995d8, msg=0x81af168, val=0x0) at route.c:1417
    #8 0x0809e390 in eval_expr (e=0x8199600, msg=0x81af168, val=0x0) at route.c:1422
    #9 0x0805457e in do_action (a=0x8199828, msg=0x81af168) at action.c:700
    #10 0x08056d7a in run_action_list (a=0x81993d0, msg=0x81af168) at action.c:138
    #11 0x080568e6 in do_action (a=0x8199980, msg=0x81af168) at action.c:717
    #12 0x08056d7a in run_action_list (a=0x8199980, msg=0x81af168) at action.c:138
    #13 0x08057082 in run_top_route (a=0x8199980, msg=0x81af168) at action.c:118
    #14 0x080910c8 in receive_msg (
    buf=0xb60c78a4 "BENOTIFY sip:192.168.5.59:44764;transport=tcp;AppId=.sip2msipGW;ms-received-cid=DC00 SIP/2.0\r\nVia: SIP/2.0/TCP 192.168.71.68;branch=z9hG4bK32C47BE9.10786EAB;branched=FALSE\r\nAuthentication-Info: NTLM r"..., len=2640, rcv_info=0xb60c7840) at receive.c:165
    #15 0x080c0579 in tcp_read_req (con=0xb60c7830, bytes_read=0xbff5e6e4) at tcp_read.c:544
    #16 0x080c101c in handle_io (fm=Variable "fm" is not available.
    ) at tcp_read.c:812
    #17 0x080c3371 in tcp_receive_loop (unix_sock=17) at io_wait.h:727
    #18 0x080bead9 in tcp_init_children (chd_rank=0x815b4c0) at tcp_main.c:1706
    #19 0x0806bb50 in main (argc=3, argv=0xbff5ead4) at main.c:832

     
  • Nobody/Anonymous

    I went deeper in the analysis and I find out that the problem was that the SIP message is too long and makes Seas crash.

    I found the parameter ENCODED_MSG_SIZE in "seas.h" that is set to 3200 by default.
    Setting this parameter to a larger value it seems that all is going fine.

    It seems not a good behavior that the OpenSips server crash with this kind of messages.
    Is it possible to release a patch that fix this or for example makes the maximum size of the payload configurable from the opensips configuration file?

    Thanks in advance,
    Antonio

     
  • Nobody/Anonymous

    There are any news from this point?
    Thank in advance
    Antonio

     
  • Sergio Gutierrez

    Hello Antonio.

    Currently we are working on a patch for this. Please give us some time, and we will have some news for you.

    Regards.

    Sergio

     
  • Bogdan-Andrei Iancu

    • assigned_to: nobody --> saguti
    • labels: --> modules
    • milestone: --> trunk
    • status: open --> open-accepted
     
  • Bogdan-Andrei Iancu

    Antonio,

    Sergio is currently working on a fix for this - unfortunately, a proper fix is not trivial, but it will be done till the 1.5 release, next week.

    Regards,
    Bogdan

     
  • Bogdan-Andrei Iancu

    • summary: CRITICAL:core:receive_fd: EOF Error --> [seas] no check for write overflow in msg_encode
     
  • Sergio Gutierrez

    • status: open-accepted --> open-postponed
     
  • Sergio Gutierrez

    Hello Antonio.

    As fixing of this bug is not trivial, and it involves a complex rework of module, I released a temporary workaround increasing statically the buffer size, but a complete fix would be released after testing, in next development release of OpenSIPS (After 1.5), so I will change the status of this report to postponed.

    If it is possible, we would like to count with your help for testing the complete fix.

    Thanks and regards.

    Sergio G.

     
  • Nobody/Anonymous

    Send me the work around to try.
    For testing let me know when the complete fix will be available

     
  • Sergio Gutierrez

    Hello.

    Fix is available at OpenSIPS 1.4.5 and OpenSIPS 1.5.0. You can try both of them.

    We are still working on definitive fix; please stay tune.

    Regards.

    Sergio

     
  • Bogdan-Andrei Iancu

    • priority: 5 --> 2
     
  • Bogdan-Andrei Iancu

    • status: open-postponed --> closed-out-of-date
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks