sr-dev November 2011

sr-dev@lists.kamailio.org

31 participants
340 discussions

git:3.2: parser: don't free on error To param linked in to_body struct

by Daniel-Constantin Mierla

Module: sip-router Branch: 3.2 Commit: a56b17e065d175f213688cacd3db3aa88fe48e2a URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a56b17e… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Thu Nov 24 17:22:26 2011 +0100 parser: don't free on error To param linked in to_body struct - if a To header parameter was already linked in to_body struct, don't free if there is a parsing error for it later, it will be freed by free_to_params() - reported by Bayan Towfiq in FS#180 (cherry picked from commit 6299704ebb280214f35fc86968d86be972219e51) --- parser/parse_to.c | 36 +++++++++++++++++------------------- 1 files changed, 17 insertions(+), 19 deletions(-) diff --git a/parser/parse_to.c b/parser/parse_to.c index bcd0bd0..cb2ea75 100644 --- a/parser/parse_to.c +++ b/parser/parse_to.c @@ -53,7 +53,7 @@ enum { -#define add_param( _param , _body ) \ +#define add_param( _param , _body , _newparam ) \ do{\ DBG("DEBUG: add_param: %.*s=%.*s\n",param->name.len,ZSW(param->name.s),\ param->value.len,ZSW(param->value.s));\ @@ -62,6 +62,7 @@ enum { (_body)->last_param =(_param);\ if ((_param)->type==TAG_PARAM)\ memcpy(&((_body)->tag_value),&((_param)->value),sizeof(str));\ + _newparam = 0;\ }while(0); @@ -73,11 +74,13 @@ static /*inline*/ char* parse_to_param(char *buffer, char *end, int *returned_status) { struct to_param *param; + struct to_param *newparam; int status; int saved_status; char *tmp; param=0; + newparam=0; status=E_PARA_VALUE; saved_status=E_PARA_VALUE; for( tmp=buffer; tmp<end; tmp++) @@ -99,7 +102,7 @@ static /*inline*/ char* parse_to_param(char *buffer, char *end, case PARA_VALUE_TOKEN: param->value.len = tmp-param->value.s; status = E_PARA_VALUE; - add_param( param , to_b ); + add_param(param, to_b, newparam); break; case F_CRLF: case F_LF: @@ -132,7 +135,7 @@ static /*inline*/ char* parse_to_param(char *buffer, char *end, param->value.len = tmp-param->value.s; saved_status = E_PARA_VALUE; status = F_LF; - add_param( param , to_b ); + add_param(param, to_b, newparam); break; case F_CR: status=F_CRLF; @@ -171,7 +174,7 @@ static /*inline*/ char* parse_to_param(char *buffer, char *end, param->value.len = tmp-param->value.s; saved_status = E_PARA_VALUE; status = F_CR; - add_param( param , to_b ); + add_param(param, to_b, newparam); break; case F_CRLF: case F_CR: @@ -202,7 +205,7 @@ static /*inline*/ char* parse_to_param(char *buffer, char *end, case PARA_VALUE_TOKEN: status = E_PARA_VALUE; param->value.len = tmp-param->value.s; - add_param( param , to_b ); + add_param(param , to_b, newparam); case E_PARA_VALUE: saved_status = status; goto endofheader; @@ -242,7 +245,7 @@ static /*inline*/ char* parse_to_param(char *buffer, char *end, break; case PARA_VALUE_QUOTED: param->value.len=tmp-param->value.s; - add_param( param , to_b ); + add_param(param, to_b, newparam); status = E_PARA_VALUE; break; case F_CRLF: @@ -277,7 +280,7 @@ static /*inline*/ char* parse_to_param(char *buffer, char *end, case PARA_VALUE_TOKEN: param->value.len=tmp-param->value.s; semicolon_add_param: - add_param(param,to_b); + add_param(param, to_b, newparam); case E_PARA_VALUE: param = (struct to_param*) pkg_malloc(sizeof(struct to_param)); @@ -289,6 +292,8 @@ semicolon_add_param: memset(param,0,sizeof(struct to_param)); param->type=GENERAL_PARAM; status = S_PARA_NAME; + /* link to free mem if not added in to_body list */ + newparam = param; break; case F_CRLF: case F_LF: @@ -483,19 +488,19 @@ endofheader: /* parameter without '=', e.g. foo */ param->value.s=0; param->value.len=0; - add_param(param, to_b); + add_param(param, to_b, newparam); saved_status=E_PARA_VALUE; break; case S_PARA_VALUE: /* parameter with null value, e.g. foo= */ param->value.s=tmp; param->value.len=0; - add_param(param, to_b); + add_param(param, to_b, newparam); saved_status=E_PARA_VALUE; break; case PARA_VALUE_TOKEN: param->value.len=tmp-param->value.s; - add_param(param, to_b); + add_param(param, to_b, newparam); saved_status=E_PARA_VALUE; break; case E_PARA_VALUE: @@ -510,7 +515,7 @@ endofheader: return tmp; error: - if (param) pkg_free(param); + if (newparam) pkg_free(newparam); to_b->error=PARSE_ERROR; *returned_status = status; return tmp; @@ -527,15 +532,8 @@ char* parse_to(char* buffer, char *end, struct to_body *to_b) saved_status=START_TO; /* fixes gcc 4.x warning */ status=START_TO; + memset(to_b, 0, sizeof(struct to_body)); to_b->error=PARSE_OK; - to_b->uri.len = 0; - to_b->uri.s= 0; - to_b->display.len = 0; - to_b->display.s = 0; - to_b->tag_value.len = 0; - to_b->tag_value.s = 0; - to_b->param_lst = 0; - to_b->last_param = 0; foo=0; for( tmp=buffer; tmp<end; tmp++)

12 years, 11 months

git:3.2: core: better check for cloned lumps in shared memory

by Daniel-Constantin Mierla

Module: sip-router Branch: 3.2 Commit: 50d96b4fa2b8a8b5998c45dc01f08617606aca8d URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=50d96b4… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Thu Nov 24 15:26:47 2011 +0100 core: better check for cloned lumps in shared memory - bitwise test for LUMPFLAG_SHMEM (cherry picked from commit 8652f5f5fb2b10210c65b04772064c452608c728) --- data_lump.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/data_lump.c b/data_lump.c index 433ce2f..5016383 100644 --- a/data_lump.c +++ b/data_lump.c @@ -650,7 +650,7 @@ void del_nonshm_lump( struct lump** lump_list ) crt = *lump_list; while (crt) { - if (crt->flags!=LUMPFLAG_SHMEM) { + if (!(crt->flags&LUMPFLAG_SHMEM)) { /* unlink it */ foo = crt; crt = crt->next; @@ -665,7 +665,7 @@ void del_nonshm_lump( struct lump** lump_list ) prev_r = crt; while(r){ foo=r; r=r->after; - if (foo->flags!=LUMPFLAG_SHMEM) { + if (!(foo->flags&LUMPFLAG_SHMEM)) { prev_r->after = r; free_lump(foo); pkg_free(foo); @@ -678,7 +678,7 @@ void del_nonshm_lump( struct lump** lump_list ) prev_r = crt; while(r){ foo=r; r=r->before; - if (foo->flags!=LUMPFLAG_SHMEM) { + if (!(foo->flags&LUMPFLAG_SHMEM)) { prev_r->before = r; free_lump(foo); pkg_free(foo);

12 years, 11 months

git:3.2: textops(k): free only pkg body lumps for set_body()

by Daniel-Constantin Mierla

Module: sip-router Branch: 3.2 Commit: ec8535487fd06e5de7b5efa218f764a6e850b42b URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ec85354… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Thu Nov 24 15:30:15 2011 +0100 textops(k): free only pkg body lumps for set_body() - if set_body() is used in failure_route, it should not destroy completely the lumps cloned in tm, just ignore them and free the ones added in failure_route before execution of itself - reported by Brandon Armstead, FS#181 (cherry picked from commit c22a3ec7366ad1a3cc0b5e8229fbabe2c179cca1) --- modules_k/textops/textops.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/modules_k/textops/textops.c b/modules_k/textops/textops.c index f2f89bb..4ebd831 100644 --- a/modules_k/textops/textops.c +++ b/modules_k/textops/textops.c @@ -1254,7 +1254,7 @@ static int set_body_f(struct sip_msg* msg, char* p1, char* p2) return -1; } - free_lump_list(msg->body_lumps); + del_nonshm_lump( &(msg->body_lumps) ); msg->body_lumps = NULL; if (msg->content_length)

12 years, 11 months

git:3.2: tm: backup/restore lump lists for faked requests

by Daniel-Constantin Mierla

Module: sip-router Branch: 3.2 Commit: 6fd2307f66d7207721e6a346d6287a3b9c043107 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6fd2307… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Thu Nov 24 15:28:04 2011 +0100 tm: backup/restore lump lists for faked requests - some cfg functions that can be used in failure_route can destroy the head of lump lists, thus better backup before and restore after failure_route execution (cherry picked from commit b6d90904de590a3f6a95bca8f89cf2521d630902) --- modules/tm/t_reply.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diff --git a/modules/tm/t_reply.c b/modules/tm/t_reply.c index b7c3a84..90ffa73 100644 --- a/modules/tm/t_reply.c +++ b/modules/tm/t_reply.c @@ -764,6 +764,11 @@ void faked_env( struct cell *t, struct sip_msg *msg) #endif static struct socket_info* backup_si; + static struct lump *backup_add_rm; + static struct lump *backup_body_lumps; + static struct lump_rpl *backup_reply_lump; + + if (msg) { /* remember we are back in request processing, but process * a shmem-ed replica of the request; advertise it in route type; @@ -803,6 +808,10 @@ void faked_env( struct cell *t, struct sip_msg *msg) /* set default send address to the saved value */ backup_si=bind_address; bind_address=t->uac[0].request.dst.send_sock; + /* backup lump lists */ + backup_add_rm = t->uas.request->add_rm; + backup_body_lumps = t->uas.request->body_lumps; + backup_reply_lump = t->uas.request->reply_lump; } else { /* restore original environment */ set_t(backup_t, backup_branch); @@ -819,6 +828,10 @@ void faked_env( struct cell *t, struct sip_msg *msg) xavp_set_list(backup_xavps); #endif bind_address=backup_si; + /* restore lump lists */ + t->uas.request->add_rm = backup_add_rm; + t->uas.request->body_lumps = backup_body_lumps; + t->uas.request->reply_lump = backup_reply_lump; } }

12 years, 11 months

git:3.2: dialog(k): destroy dlg structure first time ref counter gets to 0

by Daniel-Constantin Mierla

Module: sip-router Branch: 3.2 Commit: ae248a3744ab06a61c962415a8ac55a9c53fba82 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ae248a3… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Tue Nov 22 11:30:56 2011 +0100 dialog(k): destroy dlg structure first time ref counter gets to 0 - reported by Bayan Towfix, FS#173 (cherry picked from commit 5949e296b7bafab42a4ac3261f453f286d98e41c) --- modules_k/dialog/dlg_hash.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/modules_k/dialog/dlg_hash.c b/modules_k/dialog/dlg_hash.c index a09e78f..0341143 100644 --- a/modules_k/dialog/dlg_hash.c +++ b/modules_k/dialog/dlg_hash.c @@ -92,6 +92,11 @@ struct dlg_table *d_table = 0; */ #define unref_dlg_unsafe(_dlg,_cnt,_d_entry) \ do { \ + if((_dlg)->ref <= 0 ) { \ + LM_WARN("invalid unref'ing dlg %p with ref %d by %d\n",\ + (_dlg),(_dlg)->ref,(_cnt));\ + break; \ + } \ (_dlg)->ref -= (_cnt); \ LM_DBG("unref dlg %p with %d -> %d\n",\ (_dlg),(_cnt),(_dlg)->ref);\

12 years, 11 months

git:3.2: core: save and restore branch_iterator in print_dset

by Daniel-Constantin Mierla

Module: sip-router Branch: 3.2 Commit: d44956c4f3d5fb98bc2af42d8718a420d624d259 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d44956c… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Thu Nov 24 12:56:28 2011 +0100 core: save and restore branch_iterator in print_dset - safe usage in branch_route where branch_interator is used to add the new brnaches, but some variables can change it if used in config branch_route - closes FS#182, reported by Pawel Sternal (cherry picked from commit c5f101dfac9a50f428e3452893c402d8b1e0400b) --- dset.c | 21 ++++++++++++++++++++- dset.h | 8 ++++++-- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/dset.c b/dset.c index f8bb337..4ba5ccf 100644 --- a/dset.c +++ b/dset.c @@ -191,11 +191,21 @@ void init_branch_iterator(void) branch_iterator = 0; } +/** + * return the value of current branch iterator + */ int get_branch_iterator(void) { return branch_iterator; } +/** + * set the value of current branch interator + */ +void set_branch_iterator(int n) +{ + branch_iterator = n; +} /** \brief Get a branch from the destination set @@ -366,6 +376,7 @@ char* print_dset(struct sip_msg* msg, int* len) qvalue_t q; str uri; char* p, *qbuf; + int crt_branch; static char dset[MAX_REDIRECTION_LEN]; if (msg->new_uri.s) { @@ -379,6 +390,9 @@ char* print_dset(struct sip_msg* msg, int* len) *len = 0; } + /* backup current branch index to restore it later */ + crt_branch = get_branch_iterator(); + init_branch_iterator(); while ((uri.s = next_branch(&uri.len, &q, 0, 0, 0, 0))) { cnt++; @@ -394,7 +408,7 @@ char* print_dset(struct sip_msg* msg, int* len) if (*len + 1 > MAX_REDIRECTION_LEN) { LOG(L_ERR, "ERROR: redirection buffer length exceed\n"); - return 0; + goto error; } memcpy(dset, CONTACT, CONTACT_LEN); @@ -445,7 +459,12 @@ char* print_dset(struct sip_msg* msg, int* len) } memcpy(p, CRLF " ", CRLF_LEN + 1); + set_branch_iterator(crt_branch); return dset; + +error: + set_branch_iterator(crt_branch); + return 0; } diff --git a/dset.h b/dset.h index 6f9f067..dfc3083 100644 --- a/dset.h +++ b/dset.h @@ -107,15 +107,19 @@ static inline int ser_append_branch(struct sip_msg* msg, /*! \brief - * Iterate through the list of transaction branches + * Init the index to iterate through the list of transaction branches */ void init_branch_iterator(void); /*! \brief - * Return branch iterator position + * Return branch iterator position */ int get_branch_iterator(void); +/*! \brief + * Set branch iterator position + */ +void set_branch_iterator(int n); /*! \brief Get the next branch in the current transaction. * @return pointer to the uri of the next branch (which the length written in

12 years, 11 months

[tracker] Comment added: DOUBLE FREE / CRASH in parse_to.c

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#180 - DOUBLE FREE / CRASH in parse_to.c User who did this - Bayan Towfiq (btowfiq) ---------- still looks good you can back port to 3.2 & 3.1 ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=180#comment421 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

12 years, 11 months

[tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#173 - Double Free -- Crash/Coredump and possible security vulnerability User who did this - Bayan Towfiq (btowfiq) ---------- The dlgnewref has been working well. Please commit/backport the fixes to 3.2 . ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=173#comment420 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

12 years, 11 months

Crash if t_release() is executed after t_relay_to(), when this last returns -1

by José Luis Millán

Hi, Kamailio 3.2 is crashing if t_release() is executed after t_relay_to() returns -1 --- if ! t_relay_to() { t_release(); } --- Error -1 is generated in t_relay_to, in this case, when trying to reach a domainname which hasn't got a DNS record. Here the log of the execution of t_relay_to: ERROR: <core> [resolve.c:1540]: ERROR: sip_hostport2su: could not resolve hostname: "proxy1.jssip.net" ERROR: tm [ut.h:318]: failed to resolve "proxy1.jssip.net" ERROR: tm [t_fwd.c:1528]: ERROR: t_forward_nonack: failure to add branches ERROR: tm [tm.c:1369]: ERROR: w_t_relay_to: t_relay_to failed WARNING: script | uovyxruroybhnsy | call | t_relay(): -1 generic internal error This is the log for the execution of t_release(): <core> [mem/q_malloc.c:457]: BUG: qm_free: freeing already freed pointer, first free: tm: h_table.c: free_cell(157) - aborting ALERT: <core> [main.c:745]: child process 24217 exited by a signal 6 ALERT: <core> [main.c:748]: core was not generated INFO: <core> [main.c:760]: INFO: terminating due to SIGCHLD INFO: <core> [main.c:811]: INFO: signal 15 received Thanks in advance.

12 years, 11 months

SIP-T / SIP-I using Kamailio

by Luis Martin Gil

Hi, I just wanted to know if the Kamailio supports SIP-T or SIP-I. (http://tools.ietf.org/rfc/rfc3372.txt) According to this post, http://lists.kamailio.org/pipermail/users/2009-October/024923.html it is not handled by 2009-Oct. Is the status the same by today? Thanks, Luis Martin

12 years, 11 months

← Newer
1
...
4
5
6
7
8
9
10
...
34
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev November 2011