dialog
module is configured with db_mode
1 (realtime). When receiving following broken SIP 200
response (missing 6 bytes between header and body), Kamailio crashes:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 1.2.3.4;branch=z9hG4bKa185.ad1e5804a90a4f79fa2b09b3b2118053.0
Via: SIP/2.0/UDP 2.3.4.5:7016;received=2.3.4.5;branch=z9hG4bK370933d4;rport=7016
Record-Route: <sip:1.2.3.4;lr=on;did=c41.dee>
From: "1234" <sip:1234@example.com>;tag=as4cbf81fd
To: <sip:2345@example.com>;tag=3450065082
Call-ID: 727ca44f1e962eb321143475380dfbd9@example.com
CSeq: 102 INVITE
Contact: <sip:2345@3.4.5.6:12500>
Content-Type: application/sdp
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Content-Length: 2170
o=- 20568 20568 IN IP4 3.4.5.6
s=SDP data
c=IN IP4 3.4.5.6
t=0 0
m=audio 13002 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=ptime:20
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
Crash happens in dlg_db_handler.c
LM_DBG("sock_info is %.*s\n",
cell->bind_addr[DLG_CALLER_LEG]->sock_str.len,
cell->bind_addr[DLG_CALLEE_LEG]->sock_str.s);
SET_STR_VALUE(values+7, cell->bind_addr[DLG_CALLER_LEG]->sock_str);
SET_STR_VALUE(values+8, cell->bind_addr[DLG_CALLEE_LEG]->sock_str);
Thread 1 (Thread 0x7fc64b620700 (LWP 2333)):
+bt
#0 0x00007fc641675b63 in update_dialog_dbinfo_unsafe (cell=0x7fc619a71ff8) at dlg_db_handler.c:784
#1 0x00007fc641676852 in update_dialog_dbinfo (cell=0x7fc619a71ff8) at dlg_db_handler.c:881
#2 0x00007fc64167c861 in dlg_onreply (t=0x7fc61d7888f0, type=1048576, param=0x7ffe1ce712f0) at dlg_handlers.c:509
#3 0x00007fc6443f4f17 in run_trans_callbacks_internal (cb_lst=0x7fc61d788960, type=1048576, trans=0x7fc61d7888f0, params=0x7ffe1ce712f0) at t_hooks.c:260
#4 0x00007fc6443f5144 in run_trans_callbacks_with_buf (type=1048576, rbuf=0x7fc61d7889b0, req=0x7fc61ec43928, repl=0x7fc646dcbd80, flags=0) at t_hooks.c:305
#5 0x00007fc6443aaabc in relay_reply (t=0x7fc61d7888f0, p_msg=0x7fc646dcbd80, branch=0, msg_status=200, cancel_data=0x7ffe1ce71580, do_put_on_wait=1) at t_reply.c:1950
#6 0x00007fc6443ae844 in reply_received (p_msg=0x7fc646dcbd80) at t_reply.c:2521
#7 0x000055fd54405df6 in do_forward_reply (msg=0x7fc646dcbd80, mode=0) at core/forward.c:749
#8 0x000055fd5440784b in forward_reply (msg=0x7fc646dcbd80) at core/forward.c:851
#9 0x000055fd544522d2 in receive_msg (buf=0x55fd5492d080 <buf> "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP ...", len=960, rcv_info=0x7ffe1ce71ad0) at core/receive.c:341
#10 0x000055fd5436e207 in udp_rcv_loop () at core/udp_server.c:515
#11 0x000055fd542dc608 in main_loop () at main.c:1623
#12 0x000055fd542e46a9 in main (argc=13, argv=0x7ffe1ce71f78) at main.c:2642
Check bind_addr
before accessing.
Version was 5.0.x, but at least code in dlg_handler.c
wasn't modified in master
since then.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.