Hello,

I am investigating a crash which is happening since:

commit 0c11f4f9c235bf791ac39446c293483462a99354
Author: Daniel-Constantin Mierla <miconda@gmail.com>
Date:   Mon Dec 29 22:26:46 2014 +0100

    pua_dialoginfo: load dialogs for dialoginfo event upon restart

    - based on a patch by Kristian Høgh, FS#360



The problem appears to be that in this function of pua_dialoginfo.c...


static void
__dialog_created(struct dlg_cell *dlg, int type, struct dlg_cb_params *_params)
{
        struct sip_msg *request = _params->req;
        struct dlginfo_cell *dlginfo;

        if (request->REQ_METHOD != METHOD_INVITE)
                return;

        if(send_publish_flag > -1 && !(request->flags & (1<<send_publish_flag)))
                return;

        LM_DBG("new INVITE dialog created: from=%.*s\n", dlg->from_uri.len, dlg->from_uri.s);

        dlginfo=get_dialog_data(dlg, type);
        if(dlginfo==NULL)
                return;

        dialog_publish_multi("Trying", dlginfo->pubruris_caller,
                                &(dlg->from_uri),
                                (include_req_uri)?&(dlg->req_uri):&(dlg->to_uri),
                                &(dlg->callid), 1, dlginfo->lifetime,
                                0, 0, 0, 0, (send_publish_flag==-1)?1:0);
        free_dlginfo_cell(dlginfo);

}


...dlginfo is freed, but is still being referenced in the callback registered here...


struct dlginfo_cell* get_dialog_data(struct dlg_cell *dlg, int type)
{
...
        /* register dialog callbacks which triggers sending PUBLISH */
        if (dlg_api.register_dlgcb(dlg,
                                DLGCB_FAILED| DLGCB_CONFIRMED_NA | DLGCB_TERMINATED
                                | DLGCB_EXPIRED | DLGCB_REQ_WITHIN | DLGCB_EARLY,
                                __dialog_sendpublish, dlginfo, free_dlginfo_cell) != 0) {
                LM_ERR("cannot register callback for interesting dialog types\n");
                free_dlginfo_cell(dlginfo);
                return NULL;
        }
...
        return(dlginfo);
}



Can the freeing of this structure simply be left up to the dialog module when the dialog is eventually destroyed?

All the best,
Charles


www.sipcentric.com

Follow us on twitter @sipcentric

Sipcentric Ltd. Company registered in England & Wales no. 7365592. Registered office: Faraday Wharf, Innovation Birmingham Campus, Holt Street, Birmingham Science Park, Birmingham B7 4BB.