Re: [SR-Users] [sr-dev] kamailio core at qm_status ( patch required important)
Hello, yes, I'll apply it, just that I was mainly offline these days to had a proper chance to look at it. Thanks for troubleshooting and patching, Daniel On 9/20/12 2:36 PM, Jijo wrote: Hi Daniel, This patch needs to be applied to avoid core. Thanks Jijo On Wed, Sep 19, 2012 at 10:54 AM, Jijo realj...@gmail.com mailto:realj...@gmail.com wrote: Hi All, Finally i found the issue, Here is one of the bad trace for SUBSCRIBE(722bytes) and NOTIFY(1282bytes) which corrupted the memory. The messages came in the order NOTIFY and SUBSCRIBE. The core is generated in a different place but I believe this could be the reason for memory corruption. Here is the trace UDP Process 27294processing NOTIFY and Process 27303processing SUBSCRIBE . The explanation and implementation is below 2012-09-19T02:06:17+01:00 [info] sipserver: [27303] INFO: script: CI=1-3292@10.233.20.152 mailto:CI=1-3292@10.233.20.152 -R39 - Entry R-URI=1234 FD=10.233.20.152 SI=10.233.20.152 2012-09-19T02:06:17+01:00 [info] sipserver: [27294] INFO: script: CI=1-3292@10.233.20.152 mailto:CI=1-3292@10.233.20.152 -R1 - Force LAN socket: tcp:10.233.20.151:5060 http://10.233.20.151:5060 null 2012-09-19T02:06:17+01:00 [info] sipserver: [27303] INFO: script: CI=1-3292@10.233.20.152 mailto:CI=1-3292@10.233.20.152 -R1 - Force LAN socket: tcp:10.233.20.151:5060 http://10.233.20.151:5060 null 2012-09-19T02:06:17+01:00 [err] sipserver: [27303] ERROR: core [tcp_main.c:2357]: tcp_conn_send_put : calling wbufq_add 2012-09-19T02:06:17+01:00 [err] sipserver: [27303] ERROR: core [tcp_main.c:730]: ERROR: wbufq_add(722 bytes): buf:SUBSCRIBE sip:1234@10.233.20.141:5063;transport=tcp SIP/2.0 Record-Route: sip:10.233.20.151;tran 2012-09-19T02:06:17+01:00 [err] sipserver: [27303] ERROR: core [tcp_main.c:747]: ERROR: wbufq_add(722 bytes): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [err] sipserver: [27303] ERROR: core [tcp_main.c:774]: ERROR: wbufq_add(2 last free crt_size:722): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [err] sipserver: [27294] ERROR: core [tcp_main.c:796]: ERROR: wbufq_insert(1282 bytes): buf:NOTIFY sip:1234@10.233.20.141:5063;transport=tcp SIP/2.0 Record-Route: sip:10.233.20.151;transpo 2012-09-19T02:06:17+01:00 [err] sipserver: [27294] ERROR: core [tcp_main.c:801]: ERROR: wbufq_insert(2 last free ): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [err] sipserver: [27294] ERROR: core [tcp_main.c:820]: ERROR: wbufq_insert(22 last free ): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [err] sipserver: [27359] ERROR: core [tcp_main.c:887]: ERROR: wbufq_run(3 last free ): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [crit] sipserver: [27359] : core [mem/q_malloc.c:157]: BUG: qm_*: fragm. 0xb00519dc (address 0xb00519f4) end overwritten(0, 0)! 2012-09-19T02:06:18+01:00 [alert] sipserver: [27265] ALERT: core [main.c:755]: child process 27359 exited by a signal 11 2012-09-19T02:06:18+01:00 [alert] sipserver: [27265] ALERT: core [main.c:758]: core was generated 2012-09-19T02:06:18+01:00 [info] sipserver: [27265] INFO: core [main.c:770]: INFO: terminating due to SIGCHLD Process 27294(NOTIFY) created the TCP connection structure for destination IP and just before calling wbufq_insert(), context switch happened and process 27303(SUBSCRIBE) got the cpu. Since the connection structure is already available process 27303 add the SUBSCRIBE message(722 bytes) to wbufq. Afterwards process 27294 got the CPU and invoked wbufq_insert() which basically corrupted the memory due to an overflow with the existing implementation. inline static int _wbufq_insert(struct tcp_connection* c, const char* data, unsigned int size) { struct tcp_wbuffer_queue* q; struct tcp_wbuffer* wb; q=c-wbuf_q; if (likely(q-first==0)) /* if empty, use wbufq_add */ return _wbufq_add(c, data, size); : : : : if ((q-first==q-last) ((q-last-b_size-q-last_used)=size)){ /* one block with enough space in it for size bytes */ memmove(q-first-buf+size, q-first-buf, size); memcpy(q-first-buf, data, size); q-last_used+=size; } The above condition shall be true in this case and memmove was moving the pointer which was causing the overflow. memmove(void *dest, const void *src, size_t n); As per the memmove man page, the src shall be copied with size ānā to a temporary buffer and then temporary buffer to dest. dest is q-first-buf+size: which is basically (q-first-buf + NOTIFY MSG SIZE). so the dst will move my 1282 bytes, so we have remaining space of only 818 bytes. src is q-first-buf: which is basically copied to temp buffer with
Re: [SR-Users] [sr-dev] kamailio core at qm_status ( patch required important)
Hi Daniel, This patch needs to be applied to avoid core. Thanks Jijo On Wed, Sep 19, 2012 at 10:54 AM, Jijo realj...@gmail.com wrote: Hi All, Finally i found the issue, Here is one of the bad trace for SUBSCRIBE(722bytes) and NOTIFY(1282bytes) which corrupted the memory. The messages came in the order NOTIFY and SUBSCRIBE. The core is generated in a different place but I believe this could be the reason for memory corruption. Here is the trace UDP Process 27294 processing NOTIFY and Process 27303 processing SUBSCRIBE . The explanation and implementation is below 2012-09-19T02:06:17+01:00 [info] sipserver: [27303] INFO: script: CI=1-3292@10.233.20.152 -R39 - Entry R-URI=1234 FD=10.233.20.152 SI=10.233.20.152 2012-09-19T02:06:17+01:00 [info] sipserver: [27294] INFO: script: CI=1-3292@10.233.20.152 -R1 - Force LAN socket: tcp:10.233.20.151:5060null 2012-09-19T02:06:17+01:00 [info] sipserver: [27303] INFO: script: CI=1-3292@10.233.20.152 -R1 - Force LAN socket: tcp:10.233.20.151:5060null 2012-09-19T02:06:17+01:00 [err] sipserver: [27303] ERROR: core [tcp_main.c:2357]: tcp_conn_send_put : calling wbufq_add 2012-09-19T02:06:17+01:00 [err] sipserver: [27303] ERROR: core [tcp_main.c:730]: ERROR: wbufq_add(722 bytes): buf:SUBSCRIBE sip:1234@10.233.20.141:5063;transport=tcp SIP/2.0 Record-Route: sip:10.233.20.151;tran 2012-09-19T02:06:17+01:00 [err] sipserver: [27303] ERROR: core [tcp_main.c:747]: ERROR: wbufq_add(722 bytes): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [err] sipserver: [27303] ERROR: core [tcp_main.c:774]: ERROR: wbufq_add(2 last free crt_size:722): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [err] sipserver: [27294] ERROR: core [tcp_main.c:796]: ERROR: wbufq_insert(1282 bytes): buf:NOTIFY sip:1234@10.233.20.141:5063;transport=tcp SIP/2.0 Record-Route: sip:10.233.20.151;transpo 2012-09-19T02:06:17+01:00 [err] sipserver: [27294] ERROR: core [tcp_main.c:801]: ERROR: wbufq_insert(2 last free ): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [err] sipserver: [27294] ERROR: core [tcp_main.c:820]: ERROR: wbufq_insert(22 last free ): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [err] sipserver: [27359] ERROR: core [tcp_main.c:887]: ERROR: wbufq_run(3 last free ): first:b00519f4 last:b00519f4 2012-09-19T02:06:17+01:00 [crit] sipserver: [27359] : core [mem/q_malloc.c:157]: BUG: qm_*: fragm. 0xb00519dc (address 0xb00519f4) end overwritten(0, 0)! 2012-09-19T02:06:18+01:00 [alert] sipserver: [27265] ALERT: core [main.c:755]: child process 27359 exited by a signal 11 2012-09-19T02:06:18+01:00 [alert] sipserver: [27265] ALERT: core [main.c:758]: core was generated 2012-09-19T02:06:18+01:00 [info] sipserver: [27265] INFO: core [main.c:770]: INFO: terminating due to SIGCHLD Process 27294(NOTIFY) created the TCP connection structure for destination IP and just before calling wbufq_insert(), context switch happened and process 27303(SUBSCRIBE) got the cpu. Since the connection structure is already available process 27303 add the SUBSCRIBE message(722 bytes) to wbufq. Afterwards process 27294 got the CPU and invoked wbufq_insert() which basically corrupted the memory due to an overflow with the existing implementation. inline static int _wbufq_insert(struct tcp_connection* c, const char* data, unsigned int size) { struct tcp_wbuffer_queue* q; struct tcp_wbuffer* wb; q=c-wbuf_q; if (likely(q-first==0)) /* if empty, use wbufq_add */ return _wbufq_add(c, data, size); : : : : if ((q-first==q-last) ((q-last-b_size-q-last_used)=size)){ /* one block with enough space in it for size bytes */ memmove(q-first-buf+size, q-first-buf, size); memcpy(q-first-buf, data, size); q-last_used+=size; } The above condition shall be true in this case and memmove was moving the pointer which was causing the overflow. memmove(void *dest, const void *src, size_t n); As per the memmove man page, the src shall be copied with size ānā to a temporary buffer and then temporary buffer to dest. dest is q-first-buf+size: which is basically (q-first-buf + NOTIFY MSG SIZE). so the dst will move my 1282 bytes, so we have remaining space of only 818 bytes. src is q-first-buf: which is basically copied to temp buffer with NOTIFY SIZE(1282bytes). Finally we are moving the buffer from temporary buffer of size 1282 bytes to buffer which we left with 818 bytes, This basically corrupt the memory and on wbufq_run we see the memory corruption 2012-09-19T02:06:17+01:00 [crit] sipserver: [27359] : core [mem/q_malloc.c:157]: BUG: qm_*: fragm. 0xb00519dc (address 0xb00519f4)