I'm running a version of Kamailio from commit a7dc504075d3b5c74c6af6a3216338a0d604d1d8 (18 Feb), so I'm not sure if this has been fixed.
Anyway, I was testing a TCP client and the dialog went stale and was timed out by the dialog module using a local BYE. One of the endpoints responded to the BYE with a 481 message, and Kamailio appears to have crashed on this.
(gdb) where #0 0xb717c432 in t_reply_matching (p_msg=0xb7419990, p_branch=0xbfe26e98) at t_lookup.c:987 #1 0xb717f52a in t_check_msg (p_msg=0xb7419990, param_branch=0xbfe26e98) at t_lookup.c:1129 #2 0xb71800e4 in t_check (p_msg=0xb7419990, param_branch=0xbfe26e98) at t_lookup.c:1171 #3 0xb71aa189 in reply_received (p_msg=0xb7419990) at t_reply.c:2187 #4 0x0809fd8d in do_forward_reply (msg=0xb7419990, mode=-1289507656) at forward.c:777 #5 0x080eafb5 in receive_msg ( buf=0x82d6800 "SIP/2.0 481 Unknown Dialog\r\nVia: SIP/2.0/UDP 208.52.173.18;branch=z9hG4bK931e.95a61f6", '0' <repeats 25 times>, ".0\r\nTo: sip:+14046822836@208.52.173.18;user=phone;tag=SDjfglb99-ac3f4687+1+f2d10012+a5eff02c\r\nFrom: sip:+1404xxxxxxx@yyyyyyyyyy.net;user=phone;tag=acd791cf4\r\nCSeq: 24980 BYE\r\nCall-ID: 3f7eb5b5-57ca-4de0-80eb-4d8f28ceb7ca\r\n\r\n", len=337, rcv_info=<value optimized out>) at receive.c:273 #6 0x08184cd8 in udp_rcv_loop () at udp_server.c:536 #7 0x080b0f10 in main_loop () at main.c:1617 #8 0x080b4234 in main (argc=11, argv=0xbfe27374) at main.c:2533
The actual crash is here:
(gdb) frame 0 #0 0xb717c432 in t_reply_matching (p_msg=0xb7419990, p_branch=0xbfe26e98) at t_lookup.c:987 987 (p_msg->callid->body.len != p_cell->uas.request->callid->body.len ||
And, it would seem that the cause is that is p_cell->uas.request == NULL:
(gdb) print p_cell->uas.request $1 = (struct sip_msg *) 0x0
This is all the information I have, and unfortunately I don't think I can reproduce this crash.
-- Alex