Hi all,
Is this a bug in sofia-sip?
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7943640 in raise () from /lib/i686/cmov/libc.so.6
#2 0xb7945018 in abort () from /lib/i686/cmov/libc.so.6
#3 0xb793c5be in __assert_fail () from /lib/i686/cmov/libc.so.6
#4 0xb7f45b50 in sub_alloc (home=0x810fa00, sub=0x810e5e8,
size=4294749616, zero=do_malloc) at su_alloc.c:425
#5 0xb7f45d4b in su_alloc (home=0x810fa00, size=-217680) at su_alloc.c:771
#6 0xb7ec6005 in msg_header_alloc (home=0x810fa00, hc=0xb7fa2ec0,
extra=-217712) at msg_parser.c:2309
#7 0xb7ec42d6 in msg_header_dup_one (home=0x810fa00, src=0x810d188)
at msg_header_copy.c:231
#8 0xb7ec3ead in msg_dup_or_copy_all (msg=0x810fa00, original=<value
optimized out>, copy_one=0xb7ec4270 <msg_header_dup_one>) at
msg_header_copy.c:507
#9 0xb7ec3fa0 in msg_dup (original=0x810bb00) at msg_header_copy.c:461
My code is just something like:
msg_t *out_msg = NULL;
msg_t *in_msg = NULL;
in_msg = nta_incoming_get_request(irq);
out_msg = msg_dup(in_msg);
The incoming request is an INVITE with multipart payload.
A deeper debugging shows that it crashes when duplicating the payload part:
(gdb) fr 8
#8 0xb7ec3ead in msg_dup_or_copy_all (msg=0x810fa00, original=<value
optimized out>, copy_one=0xb7ec4270 <msg_header_dup_one>) at
msg_header_copy.c:507
507 h = copy_one(home, sh);
(gdb) set print pretty on
(gdb) p *sh
$15 = {
sh_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
sh_header_next = {{
shn_common = {
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
},
shn_next = 0x0
}},
sh_generic = {{
g_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
g_next = 0x0,
g_string = 0x810c251 "--MessageBoundary\r\nContent-Type: application/sdp"
}},
sh_numeric = {{
x_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
x_next = 0x0,
x_value = 135316049
}},
sh_list = {{
k_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
k_next = 0x0,
k_items = 0x810c251
}},
sh_auth = {{
au_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
au_next = 0x0,
au_scheme = 0x810c251 "--MessageBoundary\r\nContent-Type:
application/sdp",
au_params = 0xfffcad8f
}},
sh_separator = {{
sep_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
sep_next = 0x0,
sep_data = "Q�\020\b"
}},
sh_payload = {{
pl_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
pl_next = 0x0,
pl_data = 0x810c251 "--MessageBoundary\r\nContent-Type: application/sdp",
pl_len = 4294749583
}},
sh_unknown = {{
un_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
un_next = 0x0,
un_name = 0x810c251 "--MessageBoundary\r\nContent-Type: application/sdp",
un_value = 0xfffcad8f <Address 0xfffcad8f out of bounds>
}},
sh_error = {{
er_common = {{
h_succ = 0x0,
h_prev = 0x80b4be0,
h_class = 0xb7fa2ec0,
h_data = 0x0,
h_len = 0
}},
er_next = 0x0,
er_name = 0x810c251 "--MessageBoundary\r\nContent-Type: application/sdp"
}}
}
The problem seems to come with *pl_len = 4294749583* in sh_payload,
and several pointers with value 0xfffcad8f, which are out of bounds...
The content-related headers in the SIP INVITE are:
Content-Type: multipart/mixed;boundary=MessageBoundary
Content-Length: 879
...
Cheers,
-Aleksander
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Sofia-sip-devel mailing list
Sofia-sip-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel
