THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
A new Flyspray task has been opened. Details are below.
User who did this - Hugh Waite (hugh.waite)
Attached to Project - sip-router
Summary - Crash in core when freeing shm dup'ed request
Task Type - Bug Report
Category - Core
Status - New
Assigned To -
Operating System - All
Severity - High
Priority - Normal
Reported Version - Development
Due in Version - Undecided
Due Date - Undecided
Details - I have found a crash in core/tm which is easily reproducible.
An OPTIONS passes through kamailio to another kamailio server which responds with a 403.
The response enters a failure route and crashes (due to an abort) when attempting to free
the memory in the faked_req structure.
Attached is the backtrace and the relevant section of the DEBUG level output.
It appears from the DEBUG, that a pkg-memory address is stored in the shm_cloned
structure, which is invalid when attempting to free from a different process. The
allocated address in this core is 0x7fd12559ee28 called from parse_from_header.
This only occurs when the Via branch is 'pre-RFC3261'. In this case the
perpetrator is using "branch=foo".
I think the allocation occurs in char_msg_val.h:83 where the from body is parsed to
extract the tag (only for pre-3261 requests).
h_table.c:309 build_cell
h_table.c:390 init_synonym_id
h_table.c:274 char_mag_val
The tm module is pretty stable (last relevant change was removing the syn_branch parameter
in May 2013) so I would rather have some guidance before making changes.
One or more files have been attached.
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=454
You are receiving this message because you have requested it from the Flyspray bugtracking
system. If you did not expect this message or don't want to receive mails in future,
you can change your notification settings at the URL shown above.