Bugs item #2797928, was opened at 2009-05-28 15:54
Message generated for change (Tracker Item Submitted) made by axlh
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=279792…
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.5.x
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Alex Hermann (axlh)
Assigned to: Nobody/Anonymous (nobody)
Summary: Segfaults in dialog_update_db
Initial Comment:
dialog_update_db() is very crashy. It doesn't do any sanity checks on pointers and as
a consequence crashes a lot.
I've seen at least 2 occasions at which is crashes:
1) Calling dlg_manage() on a non-invite message
2) Worse, on an invalid message. When a 200 OK is missing a contact header, I get error
messages from populate_leg_info():
ERROR:dialog:populate_leg_info: bad sip message or missing Contact hdr
ERROR:dialog:dlg_onreply: could not add further info to the dialog
But afterwards dialog_update_db segfaults on an invalid bind_addr, from the backtrace:
(gdb) bt
#0 0xb783c41a in dialog_update_db (ticks=771000, param=0x0) at dlg_db_handler.c:629
#1 0x080a9726 in start_timer_processes () at timer.c:282
#2 0x08069b38 in main (argc=10, argv=0xbfc6f2d4) at main.c:816
Line 629 is for my version: SET_STR_VALUE(values+8,
cell->bind_addr[DLG_CALLEE_LEG]->sock_str);
(gdb) bt full
<snip>
{type = DB_STR, nul = 0, free = -1282894544, val = {int_val = 178, ll_val =
-5201380350948802382, double_val = -7.7990737395388139e-40, time_val = 178, string_val =
0xb2 "", str_val = {s = 0xb2 "", len = -1211040735}, blob_val = {s =
0xb2 "", len = -1211040735}, bitmap_val = 178}}
<snip>
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=279792…