### Description `dialog` module is configured with `db_mode` 1 (realtime). When receiving following broken SIP `200` response (missing 6 bytes between header and body), Kamailio crashes: ``` SIP/2.0 200 OK Via: SIP/2.0/UDP 1.2.3.4;branch=z9hG4bKa185.ad1e5804a90a4f79fa2b09b3b2118053.0 Via: SIP/2.0/UDP 2.3.4.5:7016;received=2.3.4.5;branch=z9hG4bK370933d4;rport=7016 Record-Route: sip:1.2.3.4;lr=on;did=c41.dee From: "1234" sip:1234@example.com;tag=as4cbf81fd To: sip:2345@example.com;tag=3450065082 Call-ID: 727ca44f1e962eb321143475380dfbd9@example.com CSeq: 102 INVITE Contact: sip:2345@3.4.5.6:12500 Content-Type: application/sdp Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE Content-Length: 2170 o=- 20568 20568 IN IP4 3.4.5.6 s=SDP data c=IN IP4 3.4.5.6 t=0 0 m=audio 13002 RTP/AVP 8 101 a=rtpmap:8 PCMA/8000 a=ptime:20 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv ``` Crash happens in [dlg_db_handler.c](https://github.com/kamailio/kamailio/blob/master/src/modules/dialog/dlg_db_h...) ``` LM_DBG("sock_info is %.*s\n", cell->bind_addr[DLG_CALLER_LEG]->sock_str.len, cell->bind_addr[DLG_CALLEE_LEG]->sock_str.s);
SET_STR_VALUE(values+7, cell->bind_addr[DLG_CALLER_LEG]->sock_str); SET_STR_VALUE(values+8, cell->bind_addr[DLG_CALLEE_LEG]->sock_str); ```
#### Debugging Data ``` Thread 1 (Thread 0x7fc64b620700 (LWP 2333)): +bt #0 0x00007fc641675b63 in update_dialog_dbinfo_unsafe (cell=0x7fc619a71ff8) at dlg_db_handler.c:784 #1 0x00007fc641676852 in update_dialog_dbinfo (cell=0x7fc619a71ff8) at dlg_db_handler.c:881 #2 0x00007fc64167c861 in dlg_onreply (t=0x7fc61d7888f0, type=1048576, param=0x7ffe1ce712f0) at dlg_handlers.c:509 #3 0x00007fc6443f4f17 in run_trans_callbacks_internal (cb_lst=0x7fc61d788960, type=1048576, trans=0x7fc61d7888f0, params=0x7ffe1ce712f0) at t_hooks.c:260 #4 0x00007fc6443f5144 in run_trans_callbacks_with_buf (type=1048576, rbuf=0x7fc61d7889b0, req=0x7fc61ec43928, repl=0x7fc646dcbd80, flags=0) at t_hooks.c:305 #5 0x00007fc6443aaabc in relay_reply (t=0x7fc61d7888f0, p_msg=0x7fc646dcbd80, branch=0, msg_status=200, cancel_data=0x7ffe1ce71580, do_put_on_wait=1) at t_reply.c:1950 #6 0x00007fc6443ae844 in reply_received (p_msg=0x7fc646dcbd80) at t_reply.c:2521 #7 0x000055fd54405df6 in do_forward_reply (msg=0x7fc646dcbd80, mode=0) at core/forward.c:749 #8 0x000055fd5440784b in forward_reply (msg=0x7fc646dcbd80) at core/forward.c:851 #9 0x000055fd544522d2 in receive_msg (buf=0x55fd5492d080 <buf> "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP ...", len=960, rcv_info=0x7ffe1ce71ad0) at core/receive.c:341 #10 0x000055fd5436e207 in udp_rcv_loop () at core/udp_server.c:515 #11 0x000055fd542dc608 in main_loop () at main.c:1623 #12 0x000055fd542e46a9 in main (argc=13, argv=0x7ffe1ce71f78) at main.c:2642 ```
### Possible Solutions
Check `bind_addr` before accessing.
### Additional Information
Version was 5.0.x, but at least code in `dlg_handler.c` wasn't modified in `master` since then.
Can you get the output with gdb for:
``` frame 0 list info locals p *cell ```
log messages from before the crash: ``` ERROR: <core> [core/parser/msg_parser.c:96]: get_hdr_field(): bad header ERROR: <core> [core/parser/msg_parser.c:330]: parse_headers(): bad header field [a=sendrecv#015#012] ERROR: dialog [dlg_handlers.c:190]: populate_leg_info(): failed to parse headers ERROR: dialog [dlg_handlers.c:495]: dlg_onreply(): could not add further info to the dialog ``` so that `bind_addr` from callee leg isn't set: [dlg_handlers.c](https://github.com/kamailio/kamailio/blob/5.0/src/modules/dialog/dlg_handler...) ``` if(parse_headers(msg,HDR_EOH_F,0)<0){ LM_ERR("failed to parse headers\n"); goto error0; }
dlg->bind_addr[leg] = msg->rcv.bind_address; ```
Should be fixed in the latest versions of git branches, pushed back also to 5.0.
Anyhow, as 5.0 is getting officially out of maintenance, it is recommended to upgrade to 5.1.x or 5.2.x.
Closed #1899.
-
Bastian Triller -
Daniel-Constantin Mierla