[OpenSIPS-Users] Possible crash in opensips 2.4

Răzvan Crainea razvan at opensips.org
Wed Feb 19 14:58:08 EST 2020


Hi, Vitalii!

I had this mail unread for a while to check your report, but apparently 
Dan Pascu detected it and fixed it faster than I could check it[1].
So I can confirm the fix you suggested is OK, and it is now pushed 
upstream. I will backport it down to 2.4.
Just a small suggestion - next time you have a devel related request, 
better post it on the github issue - over there we can categorize the 
issues faster and easier.

[1] https://github.com/OpenSIPS/opensips/issues/1974

Best regards,
Răzvan

On 1/24/20 6:25 PM, Vitalii Aleksandrov wrote:
> Yesterday I've mentioned that has reproduces one more crash.
> 
> Reverted my fix and wanted to reproduce the problem and create properly 
> filled crash report, but unfortunately failed. Can you just check the 
> part of code I've seen in core dumps?
> 
> fake_req() in modules/tm/t_msgbuilder.h clones sip_msg allocated in shm 
> and then substitutes some fields with pkg allocated copies.
> 
> Here is one of those copy operations:
>          if (uac->duri.s) {
>              faked_req->dst_uri.s = pkg_malloc(uac->duri.len);
>              if (!faked_req->dst_uri.s) {
>                  LM_ERR("out of pkg mem\n");
>                  goto out;
>              }
>              memcpy(faked_req->dst_uri.s, uac->duri.s, uac->duri.len);
>          }
> 
> Then free_faked_req() deletes those copies calling pkg_free():
>      if (faked_req->dst_uri.s) {
>          pkg_free(faked_req->dst_uri.s);
>          faked_req->dst_uri.s = NULL;
>      }
> 
> I've had crashes here and there and gdb showed corrupted or overwritten 
> memory chunks. After switching to QM_MALLOC and enabling DBG_MALLOC I've 
> got opensips aborted trying to call pkg_free()
> for shm allocated memory. It somehow happened that fake_req() hasn't 
> allocated pkg copy for faked_req->dst_uri.s and it stayed pointing to 
> shm allocated chunk and then crashed in free_faked_req().
> 
> Have no idea why I can't reproduce it anymore. Remember that backtrace 
> had t_should_relay_responce()->do_dns_failover()->free_faked_req() and 
> it was a processing of 408 reply for BYE request.
> The only thing I'm not sure about is whether I had it before or after 
> rebasing my code under the latest 2.4 with 
> cc62f7df728467b8144095767183fedfdf74be8d commit.
> 
> 
> Maybe adding safety checks to fake_req() still makes sense to make look 
> like this:
>          if (uac->duri.s) {
>              faked_req->dst_uri.s = pkg_malloc(uac->duri.len);
>              if (!faked_req->dst_uri.s) {
>                  LM_ERR("out of pkg mem\n");
>                  goto out;
>              }
>              memcpy(faked_req->dst_uri.s, uac->duri.s, uac->duri.len);
>          } else {
>              faked_req->dst_uri.s = NULL;   // <----
>              faked_req->dst_uri.len = 0;      // <----
>          }
> 
>          if (uac->path_vec.s) {
>              faked_req->path_vec.s = pkg_malloc(uac->path_vec.len);
>              if (!faked_req->path_vec.s) {
>                  LM_ERR("out of pkg mem\n");
>                  goto out2;
>              }
>              memcpy(faked_req->path_vec.s, uac->path_vec.s, 
> uac->path_vec.len);
>          } else {
>              faked_req->path_vec.s = NULL;   // <---
>              faked_req->path_vec.len = 0;      // <---
>          }
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-- 
Răzvan Crainea
OpenSIPS Core Developer
   http://www.opensips-solutions.com



More information about the Users mailing list