### Description I want convert `application/sdp` body of INVITE message to `multipart/mixed`. For this used [contruction](https://kamailio.org/docs/modules/devel/modules/textops.html#textops.f.set_b...) ``` set_body_multipart("test", "text/plain", "delimiter"); msg_apply_changes(); $var(b) = "7e Od 04 55 75 69 20 4d 61 6b 65 43 61 6c 6c" append_body_part("$var(b)", "application/vnd.cirpack.isdn-ext", "signal;handling=required"); ``` For some reason `msg_apply_changes` is not applied and then `append_body_part` causes coredump.
### Troubleshooting
#### Reproduction On alpine dist or on docker contained `kamailio/kamailio-ci` need add load [kazoo config](https://github.com/2600hz/kazoo-configs-kamailio) and apply this patch ``` diff --git a/kamailio/default.cfg b/kamailio/default.cfg index bc4a084..4b85642 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -334,6 +334,13 @@ route route(AUTHORIZATION_CHECK); #!endif
+ if (is_method("INVITE") && isflagset(FLAG_INTERNALLY_SOURCED)) { + set_body_multipart(); + msg_apply_changes(); + $var(b) = "7e Od 04 55 75 69 20 4d 61 6b 65 43 61 6c 6c"; + append_body_part("$var(b)", "application/vnd.cirpack.isdn-ext", "signal;handling=required"); + } + route(HANDLE_MESSAGE_WRAPPER);
#!ifdef PRESENCE_ROLE ``` Then make call to other phone.
#### Debugging Data ``` (gdb) bt #0 0x00007f1235f96f1b in __syscall4 (a4=<optimized out>, a3=<optimized out>, a2=<optimized out>, a1=<optimized out>, n=<optimized out>) at ./arch/x86_64/syscall_arch.h:38 #1 __restore_sigs (set=set@entry=0x7ffc151162d0) at src/signal/block.c:43 #2 0x00007f1235f97035 in raise (sig=sig@entry=6) at src/signal/raise.c:13 #3 0x00007f1235f6efb4 in abort () at src/exit/abort.c:9 #4 0x00005598707495a2 in free_lump (lmp=0x7f1235e76478) at core/data_lump.c:464 #5 0x000055987074965d in free_lump_list (l=l@entry=0x7f1235e763d8) at core/data_lump.c:498 #6 0x000055987074983a in del_nonshm_lump (lump_list=lump_list@entry=0x7f1235e737b8) at core/data_lump.c:647 #7 0x0000559870785c43 in replace_body (msg=msg@entry=0x7f1235e73208, txt=...) at core/msg_translator.c:1667 #8 0x000055987078d205 in check_boundaries (msg=msg@entry=0x7f1235e73208, send_info=send_info@entry=0x7f12322d6df8) at core/msg_translator.c:1874 #9 0x000055987078d5d3 in build_req_buf_from_sip_req (msg=msg@entry=0x7f1235e73208, returned_len=returned_len@entry=0x7ffc151166fc, send_info=0x7f12322d6df8, mode=mode@entry=128) at core/msg_translator.c:1979 #10 0x00007f123602a1ec in prepare_new_uac (t=t@entry=0x7f12322d6b90, i_req=i_req@entry=0x7f1235e73208, branch=branch@entry=0, uri=<optimized out>, uri@entry=0x7f1235e73480, path=<optimized out>, next_hop=<optimized out>, fsocket=0x7f1235e5ba50, snd_flags=..., fproto=0, flags=0, instance=<optimized out>, ruid=<optimized out>, location_ua=<optimized out>) at t_fwd.c:474 #11 0x00007f123602b665 in add_uac (t=t@entry=0x7f12322d6b90, request=request@entry=0x7f1235e73208, uri=0x7f1235e73480, next_hop=<optimized out>, path=<optimized out>, proxy=proxy@entry=0x0, fsocket=0x7f1235e5ba50, snd_flags=..., proto=0, flags=0, instance=0x7f1235e73850, ruid=0x7f1235e73868, location_ua=0x7f1235e73878) at t_fwd.c:800 #12 0x00007f12360307b8 in t_forward_nonack (t=0x7f12322d6b90, p_msg=p_msg@entry=0x7f1235e73208, proxy=proxy@entry=0x0, proto=proto@entry=0) at t_fwd.c:1680 #13 0x00007f123603ee65 in t_relay_to (p_msg=0x7f1235e73208, proxy=0x0, proto=0, replicate=0) at t_funcs.c:331 #14 0x000055987076fbb8 in do_action (h=h@entry=0x7ffc15118360, a=a@entry=0x7f1235bbf528, msg=msg@entry=0x7f1235e73208) at core/action.c:1073 #15 0x000055987076ac5d in run_actions (h=h@entry=0x7ffc15118360, a=0x7f1235bb1c28, msg=msg@entry=0x7f1235e73208) at core/action.c:1565 #16 0x000055987076dbb3 in do_action (h=h@entry=0x7ffc15118360, a=a@entry=0x7f1235bad570, msg=msg@entry=0x7f1235e73208) at core/action.c:691 #17 0x000055987076ac5d in run_actions (h=h@entry=0x7ffc15118360, a=0x7f1235bad570, msg=msg@entry=0x7f1235e73208) at core/action.c:1565 #18 0x000055987076fb99 in do_action (h=h@entry=0x7ffc15118360, a=a@entry=0x7f1235baf5c8, msg=msg@entry=0x7f1235e73208) at core/action.c:1062 #19 0x000055987076ac5d in run_actions (h=h@entry=0x7ffc15118360, a=0x7f1235bac9d0, msg=msg@entry=0x7f1235e73208) at core/action.c:1565 #20 0x000055987076dbb3 in do_action (h=h@entry=0x7ffc15118360, a=a@entry=0x7f1235b71db8, msg=msg@entry=0x7f1235e73208) at core/action.c:691 #21 0x000055987076ac5d in run_actions (h=h@entry=0x7ffc15118360, a=a@entry=0x7f1235b69540, msg=msg@entry=0x7f1235e73208) at core/action.c:1565 #22 0x0000559870775dc7 in run_top_route (a=0x7f1235b69540, msg=msg@entry=0x7f1235e73208, c=c@entry=0x0) at core/action.c:1654 #23 0x00005598707660c1 in receive_msg ( buf=buf@entry=0x559870a51640 <buf> "INVITE sip:safarov2@node1.nga911.com SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.9.35:11000;rport;branch=z9hG4bK69ag32Nr5gFjH\r\nRoute: sip:10.0.9.39:5060\r\nMax-Forwards: 48\r\nFrom: "Sergey Safarov" <sip:1240@node1."..., len=<optimized out>, rcv_info=rcv_info@entry=0x7ffc151186c0) at core/receive.c:278 #24 0x00005598708131fb in udp_rcv_loop () at core/udp_server.c:554 #25 0x0000559870744fb6 in main_loop () at main.c:1619 #26 0x000055987073d51f in main (argc=<optimized out>, argv=<optimized out>) at main.c:2638 ``` Full backtrace at [bt_full.txt](https://github.com/kamailio/kamailio/files/2342768/bt_full.txt)
#### Log Messages Please look [kamailio_console.txt](https://github.com/kamailio/kamailio/files/2342769/kamailio_console.txt)
#### SIP Traffic Crash when started modification of packet 73 of pcap file [sip.pcap.gz](https://github.com/kamailio/kamailio/files/2342770/sip.pcap.gz)
### Possible Solutions Not known
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
``` / # kamailio -v version: kamailio 5.1.5 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled on 16:32:28 Sep 1 2018 with gcc 6.4.0 ```
* **Operating System**: ``` / # cat /etc/os-release NAME="Alpine Linux" ID=alpine VERSION_ID=3.8.0 PRETTY_NAME="Alpine Linux v3.8" HOME_URL="http://alpinelinux.org" BUG_REPORT_URL="http://bugs.alpinelinux.org" ```
Can you try with msg_apply_changes() after append_body_part(...)?
In this case crash is not happens but SDP not have second multipart content. Also kamailio logs have this messages. ``` 12(16) ERROR: textops [textops.c:2232]: ki_append_multibody_cd(): Cannot get boundary. Is body multipart? 12(16) INFO: <core> [core/msg_translator.c:1713]: get_boundary(): Content-Type hdr has no params <application/sdp> 12(16) WARNING: <core> [core/msg_translator.c:1980]: build_req_buf_from_sip_req(): check_boundaries error ```
Is will help gdb backtrace when gcc optimisation is disabled?
I resolved issue after applying this patch. But I not sure that it is all that must be done ``` diff --git a/src/core/data_lump.c b/src/core/data_lump.c index e033b4e..6592fce 100644 --- a/src/core/data_lump.c +++ b/src/core/data_lump.c @@ -644,7 +644,10 @@ void del_nonshm_lump( struct lump** lump_list ) /* update the 'next' link of the previous lump */ *prev = crt; /* entire before/after list must be removed */ - free_lump_list( foo ); + if (!(foo->flags&(LUMPFLAG_DUPED|LUMPFLAG_SHMEM))) + free_lump_list( foo ); + if (!(foo->flags&LUMPFLAG_SHMEM)) + free_duped_lump_list(foo); } else { /* check on before and prev list for non-shmem lumps */ r = crt->after; ```
Kamailio now works without crash, but i can see in logs ``` 135(139) CRITICAL: <core> [core/mem/q_malloc.c:502]: qm_free(): BUG: freeing already freed pointer (0x7f6b2991e638), called from core: core/data_lump.c: free_duped_lump_list(625), first free core: core/data_lump.c: free_lump_list(504) - aborting ```
Also `body` now have two content elements, but in logs i still can see ``` 21(25) INFO: <core> [core/msg_translator.c:1713]: get_boundary(): Content-Type hdr has no params <application/sdp> 21(25) WARNING: <core> [core/msg_translator.c:1980]: build_req_buf_from_sip_req(): check_boundaries error ```
Can you make a minimal config that reproduces the issue? Running kazoo is not an easy option.
This is paused until is resolved ticket 1719
I have tested two cases on reference config with loaded `textopsx.so` enabled roles. ``` +#!define WITH_DEBUG +#!define WITH_MYSQL +#!define WITH_AUTH +#!define WITH_USRLOCDB ``` First case works as expected ``` /* Main SIP request routing logic * - processing of any incoming SIP request starts with this route * - note: this is the same as route { ... } */ request_route { if (is_method("INVITE") && has_body("application/sdp")) { set_body_multipart("delimiter"); if (msg_apply_changes()) { $var(b) = "7e Od 04 55 75 69 20 4d 61 6b 65 43 61 6c 6c"; append_body_part("$var(b)", "application/vnd.cirpack.isdn-ext", "signal;handling=required"); if(msg_apply_changes()) { xlog("L_INFO", "Body converted Succesfully $rU \n"); } } } ```
Second is generated core dump ``` /* Main SIP request routing logic * - processing of any incoming SIP request starts with this route * - note: this is the same as route { ... } */ request_route { if (is_method("INVITE") && has_body("application/sdp")) { set_body_multipart("delimiter"); if (msg_apply_changes()) { $var(b) = "7e Od 04 55 75 69 20 4d 61 6b 65 43 61 6c 6c"; append_body_part("$var(b)", "application/vnd.cirpack.isdn-ext", "signal;handling=required"); # if(msg_apply_changes()) { # xlog("L_INFO", "Body converted Succesfully $rU \n"); # } } } ```
Looks as kamailio generate core dump when added multipart and not called ` msg_apply_changes()` in call processing.
Related to https://github.com/kamailio/kamailio/issues/1758 issue And to https://github.com/kamailio/kamailio/pull/1759 PR
Closed #1631.
Closing - GH #1759 was merged.
-
Daniel-Constantin Mierla -
sergey-safarov