[tracker] Comment added: Double Free -- Crash/Coredump and possible security vulnerability - sr-dev

25 Nov 2011


      THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#173 - Double Free -- Crash/Coredump and possible security vulnerability
User who did this - Bayan Towfiq (btowfiq)
----------
I also had a crash with dlgnewref -- it was not during shutdown:
Program terminated with signal 11, Segmentation fault.
#0  0x00007f11fb8bbe61 in dlg_lookup (h_entry=9097, h_id=1731333290) at dlg_hash.c:442
442		if (h_entry>=d_table->size)
(gdb) bt
#0  0x00007f11fb8bbe61 in dlg_lookup (h_entry=9097, h_id=1731333290) at dlg_hash.c:442
#1  0x00007f11fb8b2bf5 in unref_dlg_from_cb (t=<value optimized out>, type=1731333290, param=0x7fffb1193a40) at dlg_handlers.c:964
#2  0x00007f1200dea164 in run_trans_callbacks_internal (cb_lst=<value optimized out>, type=32768, trans=0x7f11eb1e1750, params=0x7fffb1193a40) at t_hooks.c:290
#3  0x00007f1200dea503 in run_trans_callbacks (type=32768, trans=<value optimized out>, req=<value optimized out>, rpl=0x0, code=0) at t_hooks.c:317
#4  0x00007f1200dcfc9a in free_cell (dead_cell=0x7f11eb1e1750) at h_table.c:152
#5  0x00007f1200dcfe68 in free_hash_table () at h_table.c:443
#6  0x00007f1200ddff15 in tm_shutdown () at t_funcs.c:126
#7  0x00000000004e25af in destroy_modules () at sr_module.c:783
#8  0x00000000004616ff in cleanup (show_status=1) at main.c:564
#9  0x000000000046236b in shutdown_children (show_status=1, sig=<value optimized out>) at main.c:706
#10 0x0000000000463382 in handle_sigs () at main.c:797
#11 0x000000000046451e in main_loop () at main.c:1741
#12 0x0000000000465f98 in main (argc=11, argv=0x7fffb1193ef8) at main.c:2508
(gdb) bt full
#0  0x00007f11fb8bbe61 in dlg_lookup (h_entry=9097, h_id=1731333290) at dlg_hash.c:442
        dlg = <value optimized out>
        d_entry = <value optimized out>
#1  0x00007f11fb8b2bf5 in unref_dlg_from_cb (t=<value optimized out>, type=1731333290, param=0x7fffb1193a40) at dlg_handlers.c:964
        dlg = <value optimized out>
        iuid = 0x2389
#2  0x00007f1200dea164 in run_trans_callbacks_internal (cb_lst=<value optimized out>, type=32768, trans=0x7f11eb1e1750, params=0x7fffb1193a40) at t_hooks.c:290
        cbp = 0x7f11eb1b8620
        backup_from = 0x8cb110
        backup_to = 0x8cb118
        backup_dom_from = 0x8cb120
        backup_dom_to = 0x8cb128
        backup_uri_from = 0x8cb100
        backup_uri_to = 0x8cb108
        backup_xavps = 0x8cb210
#3  0x00007f1200dea503 in run_trans_callbacks (type=32768, trans=<value optimized out>, req=<value optimized out>, rpl=0x0, code=0) at t_hooks.c:317
        params = {req = 0x0, rpl = 0x0, param = 0x7f11eb1b8630, code = 0, flags = 0, branch = 0, t_rbuf = 0x0, dst = 0x0, send_buf = {s = 0x0, len = 0}}
#4  0x00007f1200dcfc9a in free_cell (dead_cell=0x7f11eb1e1750) at h_table.c:152
        b = <value optimized out>
        i = <value optimized out>
        rpl = <value optimized out>
        tt = <value optimized out>
        foo = <value optimized out>
        cbs = <value optimized out>
        __FUNCTION__ = "free_cell"
#5  0x00007f1200dcfe68 in free_hash_table () at h_table.c:443
        p_cell = 0x2389
        tmp_cell = 0x7f11eaee5dc8
        i = 598
        __FUNCTION__ = "free_hash_table"
#6  0x00007f1200ddff15 in tm_shutdown () at t_funcs.c:126
No locals.
#7  0x00000000004e25af in destroy_modules () at sr_module.c:783
        t = <value optimized out>
        foo = 0x7f12028fe0f0
        __FUNCTION__ = "destroy_modules"
#8  0x00000000004616ff in cleanup (show_status=1) at main.c:564
        memlog = <value optimized out>
        __FUNCTION__ = "cleanup"
#9  0x000000000046236b in shutdown_children (show_status=1, sig=<value optimized out>) at main.c:706
No locals.
#10 0x0000000000463382 in handle_sigs () at main.c:797
        chld = 0
        chld_status = 134
        memlog = <value optimized out>
#11 0x000000000046451e in main_loop () at main.c:1741
        i = 8
        pid = <value optimized out>
        si = 0x0
        si_desc = "udp receiver child=7 sock=70.167.xxx.xxx:5160\000\000\000\000\000@\020", '\000' <repeats 12 times>, "\016\b\000\000\000\000\000\000\000=\206=\220]֛&\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\300\v\215\000\000\000\000\000"\000\000\000\000\000\000\000\000\000@\020", '\000' <repeats 11 times>
#12 0x0000000000465f98 in main (argc=11, argv=0x7fffb1193ef8) at main.c:2508
        cfg_stream = <value optimized out>
        c = <value optimized out>
        r = <value optimized out>
        tmp = 0x7fffb1195e83 ""
---Type <return> to continue, or q <return> to quit---
        tmp_len = 0
        port = <value optimized out>
        proto = <value optimized out>
        ret = <value optimized out>
        seed = 3986280357
        rfd = <value optimized out>
        debug_save = 272629760
        debug_flag = 34
        dont_fork_cnt = 0
        n_lst = 0x10400000
        p = <value optimized out>
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173#comment40...
You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.