As expected, a buffer overflow somewhere.
Look in logs for a message like:
BUG: qm_*: prev. fragm. tail overwritten ...
and give also the output of 'bt full'.
Cheers,
Daniel
On 8/28/13 9:47 AM, Alex Balashov wrote:
On 08/28/2013 03:43 AM, Daniel-Constantin Mierla
wrote:
Hello,
one more thing, in frame 0, do:
p *prev
In the core dump whose 'bt full' output I put into pastebin, right?
In the case of this crash (with the head/tail message with MEMDBG=1),
the backtrace was a bit more conventional:
(gdb) where
#0 0x0000003dbae328a5 in raise () from /lib64/libc.so.6
#1 0x0000003dbae34085 in abort () from /lib64/libc.so.6
#2 0x000000000053c4c1 in qm_debug_frag (qm=0x7f99b6e80010,
f=0x7f99b713d008)
at mem/q_malloc.c:161
#3 0x000000000053de76 in qm_free (qm=0x7f99b6e80010, p=0x7f99b713d038,
file=0x6165b1 "<core>: parser/parse_to.c", func=0x617e40
"free_to",
line=839) at mem/q_malloc.c:462
#4 0x00000000005657fd in free_to (tb=0x7f99b713d038) at
parser/parse_to.c:839
#5 0x0000000000544ee5 in clean_hdr_field (hf=0x7f99b6eea038)
at parser/hf.c:113
#6 0x000000000054515a in free_hdr_field_lst (hf=0x7f99b6ee94f0)
at parser/hf.c:223
#7 0x00000000005499e5 in free_sip_msg (msg=0x7f99b713b778)
at parser/msg_parser.c:729
#8 0x000000000049f89d in receive_msg (
buf=0x910e20 "SIP/2.0 480 Temporarily Unavailable\r\nVia:
SIP/2.0/UDP 55.177.31.199;branch=z9hG4bK5d98.917ccf34.0\r\nVia:
SIP/2.0/UDP
208.94.157.10:5060;branch=z9hG4bK-2d1a-521da9d0-89ce197-48a5d43\r\nRecord-Route:
<sip:"..., len=860,
rcv_info=0x7fffd1c69db0) at receive.c:296
#9 0x0000000000532665 in udp_rcv_loop () at udp_server.c:557
#10 0x00000000004688a1 in main_loop () at main.c:1638
#11 0x000000000046b84a in main (argc=13, argv=0x7fffd1c6a0e8) at
main.c:2566
I did wander into frame 3 here and printed the dereferenced value of
'prev' as requested:
(gdb) frame 3
#3 0x000000000053de76 in qm_free (qm=0x7f99b6e80010, p=0x7f99b713d038,
file=0x6165b1 "<core>: parser/parse_to.c", func=0x617e40
"free_to",
line=839) at mem/q_malloc.c:462
462 qm_debug_frag(qm, f);
(gdb) print *prev
$1 = {size = 16160473784116415304, u = {nxt_free = 0x48bf7500e07d8348,
is_free = 5242037137909318472},
file = 0x1c880c748d8458b <Address 0x1c880c748d8458b out of bounds>,
func = 0x8348000000000000 <Address 0x8348000000000000 out of bounds>,
line = 9892250880904472772, check = 9892183985613198309}
-- Alex
Kamailio Advanced Trainings - Berlin, Oct 21-24; Miami, Nov 11-13, 2013
- more details about Kamailio trainings at