THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#173 - Double Free -- Crash/Coredump and possible security vulnerability
User who did this - Timo Reimann (tr)
----------
Brandon,
I took a closer look at the information you gave: The problem seems to be related to
reference counting (again).
I can see that the reference counter is decremented one time too often after the BYE
message is received. In your scenario, things look like this:
Nov 17 09:40:04 kamailio /usr/local/sbin/kamailio[21598]: INFO: dialog
[dlg_handlers.c:1132]: BYE successfully processed
Nov 17 09:40:04 kamailio /usr/local/sbin/kamailio[21598]: INFO: dialog [dlg_hash.c:597]:
unref dlg 0x7f12fbd186c8 with 2 -> 2
Nov 17 09:40:04 kamailio /usr/local/sbin/kamailio[21598]: INFO: dialog [dlg_hash.c:579]:
ref dlg 0x7f12fbd186c8 with 1 -> 3
Nov 17 09:40:04 kamailio /usr/local/sbin/kamailio[21598]: INFO: dialog [dlg_hash.c:597]:
unref dlg 0x7f12fbd186c8 with 2 -> 1
In a reference call I did on my machine, you can see that the last unref operation is one
less:
0(43729) NOTICE: dialog [dlg_handlers.c:1132]: BYE successfully processed
0(43729) NOTICE: dialog [dlg_hash.c:597]: unref dlg 0x101bb2080 with 2 -> 2
0(43729) NOTICE: dialog [dlg_hash.c:579]: ref dlg 0x101bb2080 with 1 -> 3
0(43729) NOTICE: dialog [dlg_hash.c:597]: unref dlg 0x101bb2080 with 1 -> 2
This leads to the situation where the dialog is erroneously removed prematurely. When the
"canonical" dialog termination occurs later, removal is conducted for a second
time, leading to a double free.
So the question is: What is happening in your scenario? Are you using any dialog
module-related functions or touch the dialog in any way within the configuration script
during processing of the BYE request? If so, which one(s)?
Also, could you please post your dialog modparams?
I assume you're using a latest build of 3.2 (that is, not the official release but a
recent compiled build from the 3.2 branch). Is that correct?
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=173#comment3…
You are receiving this message because you have requested it from the Flyspray bugtracking
system. If you did not expect this message or don't want to receive mails in future,
you can change your notification settings at the URL shown above.