[SR-Users] Kamailio 1.5.4 crash
Kamailio 1.5.4 crashes with the following backtrace.
(gdb) bt
#0 free_to_params (tb=0x79ffc0) at parser/parse_to.c:79
#1 free_to (tb=0x79ffc0) at parser/parse_to.c:88
#2 0x0047fe82 in clean_hdr_field (hf=0x2b32776ec6a0) at
parser/hf.c:187
#3 0x2b327492f525 in clean_msg_clone (type=value optimized out,
trans=value optimized out, req=0x2b32776eb510, rpl=0x79f220, code=value
optimized out) at sip_msg.h:54
#4 run_trans_callbacks (type=value optimized out, trans=value optimized
out, req=0x2b32776eb510, rpl=0x79f220, code=value optimized out) at
t_hooks.c:245
#5 0x2b3274949a1d in relay_reply (t=0x2b32776ed130, p_msg=0x79f220,
branch=value optimized out, msg_status=200, cancel_bitmap=0x7fff5438ecf8) at
t_reply.c:1163
#6 0x2b327494a123 in reply_received (p_msg=0x79f220) at t_reply.c:1511
#7 0x0041f08b in forward_reply (msg=0x79f220) at forward.c:576
#8 0x00445453 in receive_msg (
buf=0x719200 SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP
xxx.xxx.xxx.114;branch=z9hG4bKb415.46c549d2.0\r\nVia: SIP/2.0/UDP
xx.xxx.xx.xxx:5060;received=xxx.xxx.xx.xxx;branch=z9hG4bK6cd2ebfb;rport=5060\r\nRecord-Route:
sip:xxx.xxx.xxx.x..., len=1106, rcv_info=0x7fff5438ede0) at receive.c:212
#9 0x004795ee in udp_rcv_loop () at udp_server.c:449
#10 0x0042774e in main_loop (argc=3, argv=0x7fff5438eff8) at main.c:774
#11 main (argc=3, argv=0x7fff5438eff8) at main.c:1321
This is occuring on a centos box, 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20
07:32:21 EST 2010 x86_64 x86_64 x86_64 GNU/Linux
The really strange thing is the source of the problem appears to be in
clean_hdr_field (hf=0x2b32776ec6a0) at parser/hf.c:187
void clean_hdr_field(struct hdr_field* hf)
{
if (hf-parsed){
switch(hf-type){
...
case HDR_RPID_T:
free_to(hf-parsed);
break;
...
output from gdb shows hf-parsed to be NULL, however the call to
free_to(hf-parsed) is being called, from there bad things happen.
Thanks in advance.
Gene
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Kamailio 1.5.4 crash
On 08/30/2010 11:33 AM, gwilling...@comcast.net wrote: output from gdb shows hf-parsed to be NULL, however the call to free_to(hf-parsed) is being called, from there bad things happen. Sounds like a double free(), or a free() of something that was never allocated. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Kamailio 1.5.4 crash
On Monday 30 August 2010, Alex Balashov wrote: On 08/30/2010 11:33 AM, gwilling...@comcast.net wrote: output from gdb shows hf-parsed to be NULL, however the call to free_to(hf-parsed) is being called, from there bad things happen. Sounds like a double free(), or a free() of something that was never allocated. Hello Gene, 1.5.4 was released in February, i think - do you use the version from tar.gz? I've checked the file in question, there were one fix in the last month: r6036 | miconda | 2010-07-30 20:18:33 +0200 (Fr, 30 Jul 2010) | 4 lines - fix off-by-one bug for quoted parameter values in parse_to - patch by Alex Hermann, SF#3035382 which maybe could help you here. I'd suggest that you extract the SIP message in question from the backtrace (receive_msg, buf) and then try to reproduce the crash. If it crash again, just update to the latest 1.5 branch state, and see if it crashes again. It contains some more fixes, one or two also could cause crashes in some special conditions. Cheers, Henning ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Kamailio 1.5.4 crash
2010/8/30 gwilling...@comcast.net: We were experiencing the issue with 1.5.4 released version, we upgraded from svn and the issue still persists. I have a backtrace from both versions. I agree it is a free of a null pointer, but the if(hf-parsed) should be the test for NULL, and only execute code if not NULL. However this test is failing. Do you have a SIP flow/trace to reproduce the crash? -- Iñaki Baz Castillo i...@aliax.net ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
