Continued from issue:
#1583

Say you have a kamailio config file with variables ordered as A(int),B(int),C(string),D(int) – (all belonging to the same group).
Kamailio first creates a linked list of these variables in a given group and calculates the group size as follows actual code):

Pseudo-code
---------------------------------------------------------------------------------------------
group->size = 0
group->vars = null // the pointer to the head of the linked list of variables
create_group_linked_list:
    for variable in group:
        if variable is integer:
            round up group_size to the nearest 4 byte multiple
            group_size += sizeof(int)
        if variable is string:
            round up group_size to the nearest 8 byte multiple
            group_size += sizeof(str) //str is a kamailio type (size 16 in our C++ compiler)
        if group->vars is null:
            group->vars = variable
        else
            variables->next = group->vars
            group->vars = variable
---------------------------------------------------------------------------------------------
Linked list creation
 
 
NULL
group->size 0
 
 
A(int)
group->size 4
 
 
B(int) -> A
group->size 8
 
 
C(string) -> B -> A
group->size 24
 
 
D(int) -> C -> B -> A
group->size 28

However, this linked list is not used as is. it is copied to a single shared memory block for all child processes.
This is done in the cfg_shmize() which further calls cfg_script_fixup()
Basically, the function goes through the linked list of variables created above and calculates the offset of each variable in the memory block assuming that the offset of the first variable is 0.
Following is the pseudo-code of what cfg_script_fixup() does for the linked list and offset calculation:

Pseudo-code
--------------------------------------------------------------------------------------------
offset = 0
node = group->vars:
while node != null:
    if node's value is int:
        round up offset to nearest multiple of 4
        node->offset = offset
        offset += sizeof(int)
    if node's value is str:
        round up offset to nearest multiple of 8
        node->offset = offset
        offset += sizeof(str)
    node = node -> next
--------------------------------------------------------------------------------------------
 
 
linked list (from above):
D(int) -> C(string) -> B(int) -> A(int)
 
 
offset=0
 
D
D->offset = 0
offset = 4
 
C
C->offset = 8
offset = 24
 
B
B->offset = 24
offset = 28
A
A->offset = 28
offset = 32 (which would be the actual group size)

So, as visible, the order in which the linked list is being processed on the two cases is causing issues (from A to D in one case and from D to A in the next case).
while the group size calculation code block leads to a group size of 28, the group size according to the second code block would be 32 and the offset of the last variable would we 28. This would lead to the last variable (all 4 bytes) getting corrupted.

My temporary solution is to recalculate the group size every time a variable is added in the first code block by re-traversing the linked list but is definitely not the ideal solution.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.