sr-dev November 2011

sr-dev@lists.kamailio.org

31 participants
340 discussions

[tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#173 - Double Free -- Crash/Coredump and possible security vulnerability User who did this - Bayan Towfiq (btowfiq) ---------- Thanks Timo, I will let you know in a few days if crashes have stopped on this test installation. Bayan ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=173#comment335 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

13 years

[tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#173 - Double Free -- Crash/Coredump and possible security vulnerability User who did this - Timo Reimann (tr) ---------- I applied patches to master (commit 8ca6de5) and 3.2 (commit baed41) branches that fix a problem with the usage of dialog variables. Details: The flag to indicate that a dialog variable was changed (DLG_FLAG_CHANGED_VARS) was set with the wrong operator (&= as opposed to |=). This caused all other dialog flags to reset, including DLG_FLAG_TM introduced to master/3.2 in order to improve dialog handling of stateless responses. With DLG_FLAG_TM effectively rendered useless, the reference counter would be decremented too many times, thereby causing a double-free. Have you been using dialog variables (possibly indirectly by means of CDR generation in the acc module)? If so, could you try to verify that the bug is fixed in the latest 3.2 branch? ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=173#comment334 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

13 years

git:3.2: dialog(k): Use correct logical operation to enable DLG_FLAG_CHANGED_VARS

by Timo Reimann

Module: sip-router Branch: 3.2 Commit: baed413617a0c9eac9241564708b8330276ef023 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=baed413… Author: Timo Reimann <sr(a)foo-lounge.de> Committer: Timo Reimann <sr(a)foo-lounge.de> Date: Mon Nov 7 23:36:36 2011 +0100 dialog(k): Use correct logical operation to enable DLG_FLAG_CHANGED_VARS flag. (cherry picked from commit 8ca6de5604ee32076aea5924472f5081a48c99b7) --- modules_k/dialog/dlg_var.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules_k/dialog/dlg_var.c b/modules_k/dialog/dlg_var.c index 310b674..279e719 100644 --- a/modules_k/dialog/dlg_var.c +++ b/modules_k/dialog/dlg_var.c @@ -252,7 +252,7 @@ int set_dlg_variable(struct dlg_cell *dlg, str *key, str *val) if(ret!= 0) goto done; - dlg->dflags &= DLG_FLAG_CHANGED_VARS; + dlg->dflags |= DLG_FLAG_CHANGED_VARS; dlg_unlock(d_table, &(d_table->entries[dlg->h_entry])); if ( dlg_db_mode==DB_MODE_REALTIME ) update_dialog_dbinfo(dlg); @@ -348,7 +348,7 @@ int pv_set_dlg_variable(struct sip_msg* msg, pv_param_t *param, int op, pv_value } /* unlock dialog */ if (dlg) { - dlg->dflags &= DLG_FLAG_CHANGED_VARS; + dlg->dflags |= DLG_FLAG_CHANGED_VARS; dlg_unlock(d_table, &(d_table->entries[dlg->h_entry])); if ( dlg_db_mode==DB_MODE_REALTIME ) update_dialog_dbinfo(dlg);

13 years

git:master: dialog(k): Use correct logical operation to enable DLG_FLAG_CHANGED_VARS

by Timo Reimann

Module: sip-router Branch: master Commit: 8ca6de5604ee32076aea5924472f5081a48c99b7 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=8ca6de5… Author: Timo Reimann <sr(a)foo-lounge.de> Committer: Timo Reimann <sr(a)foo-lounge.de> Date: Mon Nov 7 23:36:36 2011 +0100 dialog(k): Use correct logical operation to enable DLG_FLAG_CHANGED_VARS flag. --- modules_k/dialog/dlg_var.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules_k/dialog/dlg_var.c b/modules_k/dialog/dlg_var.c index 310b674..279e719 100644 --- a/modules_k/dialog/dlg_var.c +++ b/modules_k/dialog/dlg_var.c @@ -252,7 +252,7 @@ int set_dlg_variable(struct dlg_cell *dlg, str *key, str *val) if(ret!= 0) goto done; - dlg->dflags &= DLG_FLAG_CHANGED_VARS; + dlg->dflags |= DLG_FLAG_CHANGED_VARS; dlg_unlock(d_table, &(d_table->entries[dlg->h_entry])); if ( dlg_db_mode==DB_MODE_REALTIME ) update_dialog_dbinfo(dlg); @@ -348,7 +348,7 @@ int pv_set_dlg_variable(struct sip_msg* msg, pv_param_t *param, int op, pv_value } /* unlock dialog */ if (dlg) { - dlg->dflags &= DLG_FLAG_CHANGED_VARS; + dlg->dflags |= DLG_FLAG_CHANGED_VARS; dlg_unlock(d_table, &(d_table->entries[dlg->h_entry])); if ( dlg_db_mode==DB_MODE_REALTIME ) update_dialog_dbinfo(dlg);

13 years

UAC functions and dialog variables

by Jasmin Schnatterbeck

Hello List, the new dialog variables in 3.2.x make it possible to store arbitrary information associated with a dialog. So what about the ftag parameter in uac? It would be efficient to store the original from-uri in a dialog variable if the dialog is being tracked and this behaviour is enabled by a module parameter. So - regarding extra rr-params - "did" is needed only. The same idea for "uac_replace_to", which could manipulate the to-header in the same way.... Jasmin

13 years

[tracker] Assignee added: Double Free -- Crash/Coredump and possible security vulnerability

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. A user has added themself to the list of users assigned to this task. FS#173 - Double Free -- Crash/Coredump and possible security vulnerability User who did this - Bayan Towfiq (btowfiq) http://sip-router.org/tracker/index.php?do=details&task_id=173 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

13 years

[tracker] Task opened: Double Free -- Crash/Coredump and possible security vulnerability

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. A new Flyspray task has been opened. Details are below. User who did this - Bayan Towfiq (btowfiq) Attached to Project - sip-router Summary - Double Free -- Crash/Coredump and possible security vulnerability Task Type - Bug Report Category - dialog Status - Assigned Assigned To - Timo Reimann Operating System - Linux Severity - Critical Priority - Normal Reported Version - Development Due in Version - Undecided Due Date - Undecided Details - version: kamailio 3.2.0 (x86_64/linux) 639f0a flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: 639f0a compiled on 07:18:31 Oct 29 2011 with gcc 4.4.3 Dialog module crashed in kamailio 3.2.0 with the following log error (double free) and below backtrace. This is a potential remote security vulnerability in addition to the crash which is why severity is set to Critical. Please let me know if further information is needed to debug. Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8282]: CRITICAL: dialog [dlg_hash.c:597]: bogus ref -1 with cnt 1 for dlg 0x7f47dbd0eee8 [16086:1982422345] with clid '1124787051_76787956(a)4.55.17.35' and tags 'gK0a13fca4' '' Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8282]: : <core> [mem/q_malloc.c:457]: BUG: qm_free: freeing already freed pointer, first free: dialog: dlg_hash.c: destroy_dlg(217) - aborting Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8294]: : <core> [pass_fd.c:293]: ERROR: receive_fd: EOF on 18 Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8272]: ALERT: <core> [main.c:751]: child process 8282 exited by a signal 6 Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8272]: ALERT: <core> [main.c:754]: core was generated Nov 6 18:05:33 guru /usr/local/sbin/kamailio[8272]: : <core> [main.c:660]: BUG: shutdown timeout triggered, dying... Nov 6 18:05:34 guru init: kamailio main process (8272) killed by ABRT signal Nov 6 18:05:34 guru init: kamailio main process ended, respawning Nov 6 18:05:34 guru kamailio: WARNING: <core> [daemonize.c:352]: pid file contains old pid, replacing pid Full backtrace below: (gdb) bt full #0 0x00007f47f38b3a75 in raise () from /lib/libc.so.6 No symbol table info available. #1 0x00007f47f38b75c0 in abort () from /lib/libc.so.6 No symbol table info available. #2 0x0000000000534708 in qm_free (qm=0x7f47db9be000, p=0x7f47dbe5d3a8, file=0x7f47ec231bef "dialog: dlg_hash.c", func=0x7f47ec231f52 "destroy_dlg", line=217) at mem/q_malloc.c:458 f = 0x7f47dbe5d378 size = <value optimized out> #3 0x00007f47ec218161 in destroy_dlg (dlg=0x7f47dbd0eee8) at dlg_hash.c:217 ret = <value optimized out> __FUNCTION__ = "destroy_dlg" #4 0x00007f47ec21a545 in unref_dlg (dlg=0x7f47dbd0eee8, cnt=0) at dlg_hash.c:597 d_entry = 0x7f47dbcb1c80 #5 0x00007f47f193d5bd in free_cell (dead_cell=0x7f47dbe48920) at h_table.c:175 b = <value optimized out> i = <value optimized out> rpl = <value optimized out> tt = <value optimized out> foo = <value optimized out> cbs = 0x7f47dbcc5970 __FUNCTION__ = "free_cell" #6 0x00007f47f195991b in wait_handler (ti=<value optimized out>, wait_tl=<value optimized out>, data=<value optimized out>) at timer.c:676 p_cell = 0x7f47dbe48920 #7 0x000000000051f4fd in timer_list_expire () at timer.c:894 tl = 0x7f47dbe489a0 ret = <value optimized out> #8 timer_handler () at timer.c:959 saved_ticks = 444520143 run_slow_timer = <value optimized out> #9 timer_main () at timer.c:998 No locals. #10 0x000000000046454f in main_loop () at main.c:1655 i = 8 pid = <value optimized out> si = 0x0 si_desc = "udp receiver child=7 sock=70.167.153.130:5060\000\000\000\000\000@\020", '\000' <repeats 12 times>, "\016\b\000\000\000\000\000\000\000\200\271،*\306v&\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\300\v\215\000\000\000\000\000\"\000\000\000\000\000\000\000\000\000@\020", '\000' <repeats 11 times> #11 0x0000000000465dd2 in main (argc=11, argv=0x7fff47fcb288) at main.c:2475 cfg_stream = <value optimized out> c = <value optimized out> r = <value optimized out> tmp = 0x7fff47fcbe83 "" tmp_len = 0 port = <value optimized out> proto = <value optimized out> ret = <value optimized out> seed = 1033789824 rfd = <value optimized out> debug_save = 272629760 debug_flag = 34 dont_fork_cnt = 0 n_lst = 0x10400000 p = <value optimized out> (gdb) More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=173 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

13 years

[tracker] Task closed: Kamailio 3.2.0 module dialog. Dialog variables not reloaded from db after restart.

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task is now closed: FS#172 - Kamailio 3.2.0 module dialog. Dialog variables not reloaded from db after restart. User who did this - Timo Reimann (tr) Reason for closing: Fixed Additional comments about closing: Fixed in master and 3.2 branch. More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=172 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

13 years

git:3.2: dialog(k): When restoring dialog variables from database calculate and

by Timo Reimann

Module: sip-router Branch: 3.2 Commit: 9442bf0249cab256c6bc68a219b2c44aee17c916 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=9442bf0… Author: Timo Reimann <sr(a)foo-lounge.de> Committer: Timo Reimann <sr(a)foo-lounge.de> Date: Sun Nov 6 02:21:08 2011 +0100 dialog(k): When restoring dialog variables from database calculate and set variable string length. - Fixes Flyspray #172. (cherry picked from commit ae76e2183c9966cfe44c0519de7d5a53be08041c) --- modules_k/dialog/dlg_db_handler.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/modules_k/dialog/dlg_db_handler.c b/modules_k/dialog/dlg_db_handler.c index a9b38ef..5e0a7a0 100644 --- a/modules_k/dialog/dlg_db_handler.c +++ b/modules_k/dialog/dlg_db_handler.c @@ -526,7 +526,9 @@ static int load_dialog_vars_from_db(int fetch_num_rows) dlg = (d_table->entries)[VAL_INT(values)].first; while (dlg) { if (dlg->h_id == VAL_INT(values+1)) { - set_dlg_variable_unsafe(dlg, &VAL_STR(values+2), &VAL_STR(values+3)); + str key = { VAL_STR(values+2).s, strlen(VAL_STRING(values+2)) }; + str value = { VAL_STR(values+3).s, strlen(VAL_STRING(values+3)) }; + set_dlg_variable_unsafe(dlg, &key, &value); break; } dlg = dlg->next;

13 years

git:master: dialog(k): When restoring dialog variables from database calculate and

by Timo Reimann

Module: sip-router Branch: master Commit: ae76e2183c9966cfe44c0519de7d5a53be08041c URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ae76e21… Author: Timo Reimann <sr(a)foo-lounge.de> Committer: Timo Reimann <sr(a)foo-lounge.de> Date: Sun Nov 6 02:21:08 2011 +0100 dialog(k): When restoring dialog variables from database calculate and set variable string length. - Fixes Flyspray #172. --- modules_k/dialog/dlg_db_handler.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/modules_k/dialog/dlg_db_handler.c b/modules_k/dialog/dlg_db_handler.c index a9b38ef..5e0a7a0 100644 --- a/modules_k/dialog/dlg_db_handler.c +++ b/modules_k/dialog/dlg_db_handler.c @@ -526,7 +526,9 @@ static int load_dialog_vars_from_db(int fetch_num_rows) dlg = (d_table->entries)[VAL_INT(values)].first; while (dlg) { if (dlg->h_id == VAL_INT(values+1)) { - set_dlg_variable_unsafe(dlg, &VAL_STR(values+2), &VAL_STR(values+3)); + str key = { VAL_STR(values+2).s, strlen(VAL_STRING(values+2)) }; + str value = { VAL_STR(values+3).s, strlen(VAL_STRING(values+3)) }; + set_dlg_variable_unsafe(dlg, &key, &value); break; } dlg = dlg->next;

13 years

← Newer
1
...
23
24
25
26
27
28
29
...
34
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev November 2011