[kamailio] websocket: Check frame->wsc in ws_frame_transmit for NULL. (#26) - sr-dev

12 Jan 2015


      Add frame.wsc == NULL check in ws_frame_transmit similar to the checks
in ws_close and friends and ws_frame_receive to avoid crashing if the
tcp connection was been terminated prematurely.
In the wild, the following was observed:
Jan 11 16:26:20 ws0 /usr/sbin/kamailio[16621]: ERROR: <core> [tcp_main.c:715]: _wbufq_add(): ERROR: wbufq_add(1077 bytes): write queue full or timeout  (32122, total 32122, last write 0 s ago)
    Jan 11 16:26:20 ws0 /usr/sbin/kamailio[16621]: ERROR: websocket [ws_frame.c:299]: encode_and_send_ws_frame(): sending WebSocket frame
    Jan 11 16:26:20 ws0 /usr/sbin/kamailio[16621]: ERROR: websocket [ws_frame.c:740]: ws_frame_transmit(): sending message
    ....
    Jan 11 16:26:20 ws0 /usr/sbin/kamailio[16637]: ERROR: <core> [tcp_main.c:3638]: handle_ser_child(): handle_ser_child: ERROR: received CON_ERROR for 0x7fc500606808 (id 3492), refcnt 3, flags 0x601c
    Jan 11 16:26:20 ws0 /usr/sbin/kamailio[16628]: WARNING: <core> [tcp_read.c:1604]: handle_io(): WARNING: tcp_receive: handle_io: F_TCPCONN connection marked as bad: 0x7fc500606808 id 3492 refcnt 1
And then, 5 seconds later:
Jan 11 16:26:25 ws0 /usr/sbin/kamailio[16612]: ALERT: <core> [main.c:777]: handle_sigs(): child process 16618 exited by a signal 11
Backtrace:
#0  0x00007f8694ee4bfe in encode_and_send_ws_frame (frame=frame@entry=0x7fff1a295130, conn_close=conn_close@entry=CONN_CLOSE_DONT) at ws_frame.c:148
    #1  0x00007f8694ee9598 in ws_frame_transmit (data=<optimized out>) at ws_frame.c:738
    #2  0x00007f8695fc3e20 in msg_send (len=<optimized out>, buf=<optimized out>, dst=<optimized out>) at ../../forward.h:187
    #3  send_pr_buffer (rb=rb@entry=0x7f86888730b0, buf=0x7f8688883388, len=<optimized out>) at t_funcs.c:102
    #4  0x00007f8695fcf104 in t_send_branch (t=t@entry=0x7f8688872f38, branch=branch@entry=0, p_msg=p_msg@entry=0x7f86976212b0, proxy=proxy@entry=0x0, lock_replies=lock_replies@entry=1) at t_fwd.c:1580
    #5  0x00007f8695fd2814 in t_forward_nonack (t=0x7f8688872f38, p_msg=p_msg@entry=0x7f86976212b0, proxy=proxy@entry=0x0, proto=proto@entry=0) at t_fwd.c:1790
    #6  0x00007f8695fc50fa in t_relay_to (p_msg=0x7f86976212b0, proxy=0x0, proto=0, replicate=0) at t_funcs.c:354
    #7  0x0000000000421980 in do_action (h=h@entry=0x7fff1a295c70, a=a@entry=0x7f86975e3798, msg=msg@entry=0x7f86976212b0) at action.c:1105
The same thing happened three times over the weekend. All with kamailio-4.1.6 from http://deb.kamailio.org/kamailio .
Could it be that this missing check was simply an oversight? Or is there a reason why the check wasn't done in ws_frame_transmit?
----
This patch was compile tested only. We haven't tried to reproduce the crash to see if this fixes it. But I figure this should at least stop the crash, and probably relay back that the destination doesn't exist anymore.
You can merge this Pull Request by running:
git pull https://github.com/wdoekes/kamailio wjd-ws_frame_transmit-check-wsc
Or you can view, comment on it, or merge it online at:
https://github.com/kamailio/kamailio/pull/26
-- Commit Summary --
* websocket: Check frame->wsc in ws_frame_transmit for NULL.
-- File Changes --
M modules/websocket/ws_frame.c (5)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/26.patch
https://github.com/kamailio/kamailio/pull/26.diff
---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/26