### Description While testing to implement an IMS AS, I used the PUA_REGINFO module to receive details about the SIP registration. PUA_REGINFO module uses PUA and USRLOC modules.
However, a couple of issues was found including a crash:
1) Crash when processing SIP Notify with registration terminated info. 2) Randomly fails storing data to USRLOC, (entries already exists) 3) Saves corrupt data to database use_domain is set in usrloc but domain not provided in Notify request
### Troubleshooting I am pretty new to Kamailio, but my findings are the following in notify.c
1) PUA_REGINFO modules, deletes the record with "ul.delete_urecord(...)" and later down in the code calls "if (ul_record) ul.release_urecord(ul_record);". Crashes on the release_urecord call. My assumption without knowing to much about userloc is that release can not be called on a deleted record. Hence it should be enough to set ul_record = NULL after calling "ul.delete_urecord(...)" to not call release_urecord later on.
2) It looks like there is an issue handling parallell request. Without knowing too much, it replacing sruid_next(..) with sruid_next_safe() resolves the issue. Also, the static variable of type ucontact_info_t should probably become local as well.
3) Maybe incorrect to set use_domain to 1 when using the module, however I think it should be failsafe and not store garbage data in to database. Not looked into this issue.
#### Reproduction Send Notify request with REGINFO body for registration and unregistration and forward it to the module according to the documentation of PUA_REGINFO.
#### Debugging Data Attaching SIPp scenario. Changing code according to 1) and 2) make the SIPp script runs and no critical issues seen. (Have too less experience to ensure that no memleaks are introduced or still present in the module code)
<?xml version="1.0" encoding="ISO-8859-1" ?>
<scenario name="notify"> <send retrans="500"> <![CDATA[
NOTIFY sip:[remote_ip] SIP/2.0 Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch] From: sip:[field0]@[field1];tag=[call_number] To: sip:[field0]@[field1] Call-ID: [call_id] CSeq: 1 NOTIFY Contact: sip:[field0]@[local_ip]:[local_port] Max-Forwards: 70 Expires: 1800 Event: reg User-Agent: SIPp/Linux Subscription-State: active;expires=6888 Content-Type: application/reginfo+xml Content-Length: [len]
<?xml version="1.0"?> <reginfo xmlns="urn:ietf:params:xml:ns:reginfo" version="2" state="full"> <registration aor="sip:[field0]@mnc001.mcc001.3gppnetwork.org" id="0x7feff71118f8" state="active"> <contact id="0x7feff7126e58" state="active" event="registered" expires="595" q="0.500"> <uri>sip:[field0]@192.168.55.103:21061;ob;alias=192.168.55.103~21061~1</uri> <unknown-param name="+g.3gpp.smsip"></unknown-param> <unknown-param name="q">"0.5"</unknown-param> </contact> </registration> </reginfo> ]]> </send>
<recv response="202" rtd="true"> </recv>
<pause milliseconds="1000"/>
<send retrans="500"> <![CDATA[
NOTIFY sip:[remote_ip] SIP/2.0 Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch] From: sip:[field0]@[field1];tag=[call_number] To: sip:[field0]@[field1] Call-ID: [call_id] CSeq: 2 NOTIFY Contact: sip:[field0]@[local_ip]:[local_port] Max-Forwards: 70 Expires: 1800 User-Agent: SIPp/Linux Event: reg Subscription-State: active;expires=6888 Content-Type: application/reginfo+xml Content-Length: [len]
<?xml version="1.0"?> <reginfo xmlns="urn:ietf:params:xml:ns:reginfo" version="3" state="full"> <registration aor="sip:[field0]@mnc001.mcc001.3gppnetwork.org" id="0x7feff71118f8" state="terminated"> <contact id="0x1" state="terminated" event="expired" expires="0" q="0.000"> <uri>sip:[field0]@192.168.55.103:21061;ob;alias=192.168.55.103~21061~1</uri> </contact> </registration> </reginfo> ]]> </send>
<recv response="202" rtd="true"> </recv>
</scenario>
#### Log Messages #### SIP Traffic
### Possible Solutions See troubleshooting.
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
``` 5.1.4 ```
* **Operating System**:
``` Debian 8.11 ```
If you get a crash, get the output of `bt full` in gdb taken from the core file and paste it here, it should give details where the crash happens.
Quote: "Attaching SIPp scenario."
Can you attach it?
`Core was generated by `/usr/local/sbin/kamailio -f /root/kamailio-test.cfg'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fe975560399 in release_urecord (_r=0x7fe96deb2430) at urecord.c:555 555 mem_delete_urecord(_r->slot->d, _r); (gdb) bt full #0 0x00007fe975560399 in release_urecord (_r=0x7fe96deb2430) at urecord.c:555 No locals. #1 0x00007fe971e5619e in process_body (notify_body=..., domain=0x7fe96dea0ed8) at notify.c:461 doc = 0xf4b110 doc_root = 0xf4b4a0 registrations = 0xf4b860 contacts = 0x0 uris = 0x0 params = 0x0 uri = "\320\063\r\301\376\177\000\000\370rWg\000\000\000\000\020\203A\000\004\000\000\000\240\267~", '\000' <repeats 21 times>, "\260\064\r\301\376\177\000\000\f\323l\000\000\000\000\000\250\026\f\000\000\000\000\000\b\000\000\000\000\000\000\000\017\000\000\000\000\000\000\000\020@\256v\351\177\000\000\000\064\r\301\376\177\000\000\300V\272v\351\177\000\000&\240\244\000\000\000\000\000\203\236\244\000\000\000\000\000\260\064\r\301\376\177\000\000\222]g\000\000\000\000\000\212\001\000\000\376\177\000\000\253ag", '\000' <repeats 21 times>, "\240\267~\000\000\000\000\000) IN@\001\000\000\270\347~\000\000\000\000\000"... aor_key = {s = 0x7ffec10d3370 "\320\063\r\301\376\177", len = 6} aor = {s = 0xf33660 "sip:1000@mnc001.mcc001.3gppnetwork.org", len = 38} callid = {s = 0x0, len = 0} contact = {s = 0x0, len = 0} contact_uri = {s = 0x0, len = 0} contact_params = {s = 0x0, len = 0} param = {s = 0x0, len = 0} received = {s = 0x0, len = 0} path = {s = 0x0, len = 0} user_agent = {s = 0x0, len = 0} state = 0 event = 0 expires = 10788902 result = 0 final_result = 2 expires_char = 0x0 cseq_char = 0x7fe975c56495 "sl: sl.c" cseq = 0 len = 4293392 ul_record = 0x7fe96deb2430 ul_contact = 0x0 parsed_aor = {user = {s = 0xf33664 "1000@mnc001.mcc001.3gppnetwork.org", len = 4}, passwd = {s = 0x0, len = 0}, host = {s = 0xf33669 "mnc001.mcc001.3gppnetwork.org", len = 29}, port = {s = 0x0, len = 0}, params = {s = 0x0, len = 0}, sip_params = {s = 0x0, len = 0}, headers = {s = 0x0, len = 0}, port_no = 0, proto = 0, type = SIP_URI_T, flags = (unknown: 0), transport = {s = 0x0, len = 0}, ttl = {s = 0x0, len = 0}, user_param = {s = 0x0, len = 0}, maddr = {s = 0x0, len = 0}, method = {s = 0x0, len = 0}, lr = {s = 0x0, len = 0}, r2 = {s = 0x0, len = 0}, gr = {s = 0x0, len = 0}, transport_val = {s = 0x0, len = 0}, ttl_val = {s = 0x0, len = 0}, user_param_val = {s = 0x0, len = 0}, maddr_val = { s = 0x0, len = 0}, method_val = {s = 0x0, len = 0}, lr_val = {s = 0x0, len = 0}, r2_val = {s = 0x0, len = 0}, gr_val = {s = 0x0, len = 0}} mem_only = 1 __FUNCTION__ = "process_body" #2 0x00007fe971e56f51 in reginfo_handle_notify (msg=0x7fe976ba48e8, domain=0x7fe96dea0ed8 "\330\r\352m\351\177", s2=0x0) at notify.c:501 body = { s = 0xa49e9c <buf+412> "<?xml version=\"1.0\"?>\r\n<reginfo xmlns="urn:ietf:params:xml:ns:reginfo" version="3" state="full">\r\n<registration aor="sip:1000@mnc001.mcc001.3gppnetwork.org" id="0x7feff71118f8" state="terminated">\r\n<c"..., len = 394} result = 1 __FUNCTION__ = "reginfo_handle_notify" #3 0x000000000047bfee in do_action (h=0x7ffec10d53c0, a=0x7fe976b8ba90, msg=0x7fe976ba48e8) at core/action.c:1073 ret = -5 v = 0 dst = {send_sock = 0x0, to = {s = {sa_family = 0, sa_data = '\000' <repeats 13 times>}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0, ---Type <return> to continue, or q <return> to quit--- sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, id = 0, proto = 0 '\000', send_flags = {f = 0, blst_imask = 0}} tmp = 0x7ffec10d53c0 "\004" new_uri = 0x0 end = 0x0 crt = 0x7fe976ba48e8 "\001" cmd = 0x7fe976b86fc8 len = 32766 user = -1056095264 uri = {user = {s = 0x0, len = 300666880}, passwd = {s = 0x0, len = 1733784312}, host = {s = 0x418310 <_start> "1\355I\211\321^H\211\342H\203\344\360PTI\307\300\060\217t", len = -1056088512}, port = {s = 0x0, len = 0}, params = { s = 0x7ffec10d3c80 "\220=\r\301\376\177", len = 4753009}, sip_params = {s = 0x7ffec10d4050 "pushas.mnc001.mcc001.3gppnetwork.org", len = 0}, headers = {s = 0x6d2e736168737570 <error: Cannot access memory at address 0x6d2e736168737570>, len = 808477550}, port_no = 12387, proto = 12592, type = 1885811502, flags = (unknown: 1991919848), transport = {s = 0x7fe976b8aee0 "c", len = -1056097104}, ttl = {s = 0x0, len = 0}, user_param = {s = 0x0, len = 0}, maddr = { s = 0x100000000 <error: Cannot access memory at address 0x100000000>, len = 0}, method = {s = 0x0, len = 1733784312}, lr = {s = 0x418310 <_start> "1\355I\211\321^H\211\342H\203\344\360PTI\307\300\060\217t", len = -1056088512}, r2 = { s = 0x0, len = 0}, gr = {s = 0x7ffec10d3d90 "\200>\r\301\376\177", len = 4754710}, transport_val = {s = 0x0, len = 1991919848}, ttl_val = {s = 0x7fe976b8aee0 "c", len = -1056091200}, user_param_val = {s = 0x0, len = 1}, maddr_val = { s = 0x675772f8 <error: Cannot access memory at address 0x675772f8>, len = 1671370636}, method_val = {s = 0x418310 <_start> "1\355I\211\321^H\211\342H\203\344\360PTI\307\300\060\217t", len = -1056088512}, lr_val = {s = 0x0, len = 0}, r2_val = {s = 0x87e41b8d6d5f178c <error: Cannot access memory at address 0x87e41b8d6d5f178c>, len = 482416524}, gr_val = {s = 0x0, len = 0}} next_hop = {user = {s = 0x1ffffffff <error: Cannot access memory at address 0x1ffffffff>, len = 15906160}, passwd = {s = 0xa <error: Cannot access memory at address 0xa>, len = 2003418427}, host = {s = 0x7ffec10d3b8f "", len = -1056097296}, port = {s = 0x3 <error: Cannot access memory at address 0x3>, len = -1}, params = {s = 0x0, len = -1056097296}, sip_params = {s = 0x26 <error: Cannot access memory at address 0x26>, len = -1056097296}, headers = { s = 0x402 <error: Cannot access memory at address 0x402>, len = 11238720}, port_no = 1, proto = 0, type = ERROR_URI_T, flags = (URI_USER_NORMALIZE | unknown: 2003422408), transport = { s = 0x673616873757006 <error: Cannot access memory at address 0x673616873757006>, len = 811822701}, ttl = {s = 0x67330b3130306363 <error: Cannot access memory at address 0x67330b3130306363>, len = 1701736560}, user_param = { s = 0x7fe976b80de0 "H\306\353t\351\177", len = 2000597655}, maddr = {s = 0x0, len = -1056097488}, method = {s = 0xf2b570 "127.0.0.1 via TCP/IP", len = -1056097504}, lr = {s = 0x0, len = 0}, r2 = { s = 0x1 <error: Cannot access memory at address 0x1>, len = -1056097481}, gr = {s = 0x7ffec10d3b18 "", len = -1056097520}, transport_val = {s = 0x237a8c0 <error: Cannot access memory at address 0x237a8c0>, len = 0}, ttl_val = {s = 0x0, len = 0}, user_param_val = {s = 0x4e45202d2d2d2023 <error: Cannot access memory at address 0x4e45202d2d2d2023>, len = 1448091716}, maddr_val = {s = 0xa322e3535000a2d <error: Cannot access memory at address 0xa322e3535000a2d>, len = 1952804352}, method_val = {s = 0xa67726f2e <error: Cannot access memory at address 0xa67726f2e>, len = 0}, lr_val = {s = 0x0, len = 0}, r2_val = {s = 0x0, len = 0}, gr_val = {s = 0x0, len = 0}} u = 0x7fe976b8a5e0 port = 0 dst_host = 0x0 i = -1 flags = 32745 avp = 0x3 st = {flags = 15906160, id = 0, name = {n = 10, s = {s = 0xa <error: Cannot access memory at address 0xa>, len = 0}, re = 0xa}, avp = 0x7fe9773598a7 <__GI__IO_file_read+23>} sct = 0x0 sjt = 0x0 rve = 0x7ffec10d3fef mct = 0x0 rv = 0x0 rv1 = 0x7ffec10d4050 c1 = {cache_type = 368693280, val_type = RV_NONE, c = {avp_val = {n = 1528123860, s = {s = 0x5b1551d4 <error: Cannot access memory at address 0x5b1551d4>, len = 531751811}, re = 0x5b1551d4}, pval = {rs = { s = 0x5b1551d4 <error: Cannot access memory at address 0x5b1551d4>, len = 531751811}, ri = 1528123860, flags = 0}}, i2s = "\203\343\261\037", '\000' <repeats 17 times>} s = {s = 0x8 <error: Cannot access memory at address 0x8>, len = 1530459981} srevp = {0x63, 0x1000} evp = {data = 0x0, rcv = 0x0, dst = 0x0} mod_f_params = {{type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}} __FUNCTION__ = "do_action" #4 0x0000000000488671 in run_actions (h=0x7ffec10d53c0, a=0x7fe976b8b280, msg=0x7fe976ba48e8) at core/action.c:1565 ---Type <return> to continue, or q <return> to quit--- t = 0x7fe976b8ba90 ret = 1 mod = 0x0 ms = 0 __FUNCTION__ = "run_actions" #5 0x000000000047bed5 in do_action (h=0x7ffec10d53c0, a=0x7fe976b8c118, msg=0x7fe976ba48e8) at core/action.c:1058 ret = 1 v = 1 dst = {send_sock = 0xf4b9fc, to = {s = {sa_family = 47612, sa_data = "\364\000\000\000\000\000\230\271\364\000\000\000\000"}, sin = {sin_family = 47612, sin_port = 244, sin_addr = {s_addr = 0}, sin_zero = "\230\271\364\000\000\000\000"}, sin6 = {sin6_family = 47612, sin6_port = 244, sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = "\230\271\364\000\000\000\000\000\240\271\364\000\000\000\000", __u6_addr16 = {47512, 244, 0, 0, 47520, 244, 0, 0}, __u6_addr32 = { 16038296, 0, 16038304, 0}}}, sin6_scope_id = 0}}, id = 0, proto = 0 '\000', send_flags = {f = 4587, blst_imask = 14932}} tmp = 0x7fe9766d05da "" new_uri = 0x7465737261686300 <error: Cannot access memory at address 0x7465737261686300> end = 0x7374657372616800 <error: Cannot access memory at address 0x7374657372616800> crt = 0x7fe9766d05d2 "%x%c%x%c" cmd = 0x0 len = 32766 user = -1056093360 uri = {user = {s = 0x1 <error: Cannot access memory at address 0x1>, len = 0}, passwd = {s = 0x770000006f <error: Cannot access memory at address 0x770000006f>, len = 0}, host = {s = 0x7c <error: Cannot access memory at address 0x7c>, len = 4088}, port = {s = 0x0, len = 2003346976}, params = {s = 0xff8 <error: Cannot access memory at address 0xff8>, len = 4088}, sip_params = {s = 0x0, len = 0}, headers = {s = 0x0, len = 2000031776}, port_no = 17104, proto = 49421, type = 32766, flags = (unknown: 16042512), transport = {s = 0xc <error: Cannot access memory at address 0xc>, len = -1056094832}, ttl = {s = 0x10 <error: Cannot access memory at address 0x10>, len = 0}, user_param = { s = 0x7fe976ba30f8 "", len = 1991919848}, maddr = {s = 0x7ffec10d4570 "", len = 1991913720}, method = {s = 0x8 <error: Cannot access memory at address 0x8>, len = 1733784312}, lr = { s = 0x418310 <_start> "1\355I\211\321^H\211\342H\203\344\360PTI\307\300\060\217t", len = -1056088512}, r2 = {s = 0x0, len = 0}, gr = {s = 0x7ffec10d4910 "\300I\r\301\376\177", len = 4702190}, transport_val = {s = 0x0, len = 2009902352}, ttl_val = {s = 0x7ffec10d4370 "", len = 1933597149}, user_param_val = {s = 0x70c055ab <error: Cannot access memory at address 0x70c055ab>, len = 1991919848}, maddr_val = {s = 0x7fe976b88d30 "U", len = -1056093712}, method_val = {s = 0x0, len = 0}, lr_val = {s = 0x0, len = 0}, r2_val = {s = 0x0, len = 1933598680}, gr_val = {s = 0x0, len = 2005549464}} next_hop = {user = {s = 0x22000 <error: Cannot access memory at address 0x22000>, len = 136684}, passwd = {s = 0x215ec <error: Cannot access memory at address 0x215ec>, len = 0}, host = { s = 0x5 <error: Cannot access memory at address 0x5>, len = 2232320}, port = {s = 0x223000 <error: Cannot access memory at address 0x223000>, len = 2236928}, params = {s = 0x222208 <error: Cannot access memory at address 0x222208>, len = 135168}, sip_params = {s = 0x3 <error: Cannot access memory at address 0x3>, len = 2000007838}, headers = {s = 0x7ffec10d4720 "", len = -1056094448}, port_no = 1139, proto = 30570, type = 32745, flags = (unknown: 2003436664), transport = {s = 0x0, len = 1999826793}, ttl = {s = 0xc <error: Cannot access memory at address 0xc>, len = 2007711308}, user_param = {s = 0x7ffec10d42a0 "\320B\r\301\376\177", len = -1340356096}, maddr = {s = 0x0, len = 1}, method = { s = 0x7fe977ccd770 "H\327\314w\351\177", len = 2007713726}, lr = {s = 0x7ffec10d4270 "\370\017", len = -1056095808}, r2 = {s = 0x7ffec11ae1a8 "", len = -1055202856}, gr = {s = 0x7ffec10d42d0 "\370\060\272v\351\177", len = 2003346976}, transport_val = {s = 0x1000 <error: Cannot access memory at address 0x1000>, len = 4088}, ttl_val = {s = 0x0, len = 4088}, user_param_val = {s = 0x0, len = 2000023192}, maddr_val = { s = 0x7ffe00000100 <error: Cannot access memory at address 0x7ffe00000100>, len = 4128}, method_val = {s = 0x40 <error: Cannot access memory at address 0x40>, len = 112}, lr_val = { s = 0x100 <error: Cannot access memory at address 0x100>, len = 4128}, r2_val = {s = 0x40 <error: Cannot access memory at address 0x40>, len = 112}, gr_val = {s = 0x8 <error: Cannot access memory at address 0x8>, len = 99}} u = 0x7ffec10d4b60 port = 0 dst_host = 0x0 i = -1056094864 flags = 0 avp = 0xf4b9fc st = {flags = 47, id = 0, name = {n = 2007719113, s = {s = 0x7fe977ab5cc9 <_dl_new_object+761> "\353\b\017\037D", len = 75}, re = 0x7fe977ab5cc9 <_dl_new_object+761>}, avp = 0x4d0} sct = 0x0 sjt = 0x7fe9733ffbee <my_parse_charset_xml+142> rve = 0x7fe976b8a5e0 mct = 0x5bcc rv = 0x24 rv1 = 0xf4b9fc c1 = {cache_type = 2187264, val_type = RV_NONE, c = {avp_val = {n = 11246912, s = {s = 0xab9d40 <rec_name> "ns.mnc001.mcc001.3gppnetwork.org", len = 1752397168}, re = 0xab9d40 <rec_name>}, pval = {rs = { s = 0xab9d40 <rec_name> "ns.mnc001.mcc001.3gppnetwork.org", len = 1752397168}, ri = 808477550, flags = 1668099633}}, i2s = "c001.3gppnetwork.org\000"} s = {s = 0xab7d40 <buff> "0"\205\200", len = 2003409083} ---Type <return> to continue, or q <return> to quit--- srevp = {0x7ffec10d4050, 0x7ffec10d4740} evp = {data = 0x0, rcv = 0x0, dst = 0x0} mod_f_params = {{type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}} __FUNCTION__ = "do_action" #6 0x0000000000488671 in run_actions (h=0x7ffec10d53c0, a=0x7fe976b8c118, msg=0x7fe976ba48e8) at core/action.c:1565 t = 0x7fe976b8c118 ret = -1 mod = 0x7fe97732ef69 <_IO_vfprintf_internal+15785> ms = 0 __FUNCTION__ = "run_actions" #7 0x0000000000478a88 in do_action (h=0x7ffec10d53c0, a=0x7fe976b897f0, msg=0x7fe976ba48e8) at core/action.c:691 ret = -5 v = 32 dst = {send_sock = 0x7fe9761958a8, to = {s = {sa_family = 1490, sa_data = "mv\351\177\000\000\000\000\000\000\000\000\000"}, sin = {sin_family = 1490, sin_port = 30317, sin_addr = {s_addr = 32745}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 1490, sin6_port = 30317, sin6_flowinfo = 32745, sin6_addr = {__in6_u = {__u6_addr8 = "\000\000\000\000\000\000\000\000\016\000\000\000\377\377\377\377", __u6_addr16 = { 0, 0, 0, 0, 14, 0, 65535, 65535}, __u6_addr32 = {0, 0, 14, 4294967295}}}, sin6_scope_id = 1986856410}}, id = 32745, proto = 0 '\000', send_flags = {f = 0, blst_imask = 0}} tmp = 0x7ffec10d53c0 "\004" new_uri = 0x7fe976ae3385 <_kex_sruid+5> "5b3a378e-4102-" end = 0x0 crt = 0x7fe976ba48e8 "\001" cmd = 0x0 len = 32766 user = -1056091872 uri = {user = {s = 0x2e <error: Cannot access memory at address 0x2e>, len = 2007789952}, passwd = {s = 0x7ffec10d4ef0 "\322\005mv\351\177", len = 1733784312}, host = { s = 0x418310 <_start> "1\355I\211\321^H\211\342H\203\344\360PTI\307\300\060\217t", len = -1056088512}, port = {s = 0x0, len = 0}, params = {s = 0x7ffec10d49c0 "\320J\r\301\376\177", len = 4753009}, sip_params = { s = 0x7fe9766d05d2 "%x%c%x%c", len = 1986856410}, headers = {s = 0x0, len = 1999826793}, port_no = 0, proto = 0, type = ERROR_URI_T, flags = (unknown: 1991919848), transport = {s = 0x7fe976b88d30 "U", len = -1056093712}, ttl = { s = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, len = 1999833443}, user_param = {s = 0x68737570 <error: Cannot access memory at address 0x68737570>, len = 1999833498}, maddr = { s = 0x1c10d4a70 <error: Cannot access memory at address 0x1c10d4a70>, len = 0}, method = {s = 0x0, len = 1733784312}, lr = {s = 0x418310 <_start> "1\355I\211\321^H\211\342H\203\344\360PTI\307\300\060\217t", len = -1056088512}, r2 = { s = 0x0, len = 0}, gr = {s = 0x7ffec10d4ad0 "\300K\r\301\376\177", len = 4754710}, transport_val = {s = 0x0, len = 1991919848}, ttl_val = {s = 0x7fe976b88d30 "U", len = -1056091200}, user_param_val = {s = 0x0, len = 1}, maddr_val = { s = 0x675772f8 <error: Cannot access memory at address 0x675772f8>, len = -1994451060}, method_val = {s = 0x418310 <_start> "1\355I\211\321^H\211\342H\203\344\360PTI\307\300\060\217t", len = -1056088512}, lr_val = {s = 0x0, len = 0}, r2_val = {s = 0x87e41b8d88df178c <error: Cannot access memory at address 0x87e41b8d88df178c>, len = 482416524}, gr_val = {s = 0x7fe900000000 <error: Cannot access memory at address 0x7fe900000000>, len = 1999833498}} next_hop = {user = {s = 0x1766d05da <error: Cannot access memory at address 0x1766d05da>, len = 1829122352}, passwd = {s = 0x656e707067330b31 <error: Cannot access memory at address 0x656e707067330b31>, len = 1919907700}, host = { s = 0x7fe976195b18 "s", len = 0}, port = {s = 0x0, len = 24}, params = {s = 0x7ffec10d4e30 "\032", len = -1056092816}, sip_params = {s = 0x7ffec10d4e40 "\205\ryu\351\177", len = -1056092800}, headers = {s = 0x0, len = 2009902352}, port_no = 65535, proto = 65535, type = 4294967295, flags = (unknown: 0), transport = {s = 0xa5b50f0b <error: Cannot access memory at address 0xa5b50f0b>, len = 2003376174}, ttl = { s = 0xffffffff <error: Cannot access memory at address 0xffffffff>, len = -958486955}, user_param = {s = 0x7fe976b80d70 ">\306\353t\351\177", len = 2003343200}, maddr = {s = 0x0, len = 0}, method = {s = 0x0, len = 2003364960}, lr = { s = 0x0, len = 0}, r2 = {s = 0x0, len = 1999855287}, gr = {s = 0x7ffec10d4e50 "\001\200\255\373\351\177", len = -1056092608}, transport_val = {s = 0x7fe9766d05d2 "%x%c%x%c", len = 1986856410}, ttl_val = {s = 0x0, len = 1999826793}, user_param_val = {s = 0x1 <error: Cannot access memory at address 0x1>, len = 49}, maddr_val = {s = 0x7ffec10d49d0 "", len = 91}, method_val = {s = 0x0, len = 0}, lr_val = { s = 0x770000006e <error: Cannot access memory at address 0x770000006e>, len = 0}, r2_val = {s = 0x7ffec10d49a0 "\020\203A", len = 0}, gr_val = {s = 0x7ffec10d4740 "\031[\031v\351\177", len = 2003346976}} u = 0x7fe976b88f68 port = 0 dst_host = 0x0 i = 1 flags = 1937076230 avp = 0x7fe900000000 st = {flags = 0, id = 0, name = {n = 1981373200, s = {s = 0x7fe976195b10 "%c%d@%.*s", len = 0}, re = 0x7fe976195b10}, avp = 0x7fe900000014} ---Type <return> to continue, or q <return> to quit--- sct = 0x7ffec10d5160 sjt = 0x3000000018 rve = 0x20 mct = 0x0 rv = 0x7fe97733099a <_IO_vfprintf_internal+22490> rv1 = 0x0 c1 = {cache_type = 1999833498, val_type = 32745, c = {avp_val = {n = 0, s = {s = 0x0, len = 0}, re = 0x0}, pval = {rs = {s = 0x0, len = 0}, ri = 0, flags = 2}}, i2s = "\377\377\377\377\377\377\377\377\r\000\000\000\351\177\000\000\377\377\377\377\377\377"} s = {s = 0x7ffe00000000 <error: Cannot access memory at address 0x7ffe00000000>, len = 1999833498} srevp = {0x7ffe00000000, 0x33ca3a5400000000} evp = {data = 0x0, rcv = 0x0, dst = 0x0} mod_f_params = {{type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}} __FUNCTION__ = "do_action" #8 0x0000000000488671 in run_actions (h=0x7ffec10d53c0, a=0x7fe976b897f0, msg=0x7fe976ba48e8) at core/action.c:1565 t = 0x7fe976b897f0 ret = -1 mod = 0x3000000030 ms = 0 __FUNCTION__ = "run_actions" #9 0x000000000047bed5 in do_action (h=0x7ffec10d53c0, a=0x7fe976b89a28, msg=0x7fe976ba48e8) at core/action.c:1058 ret = 1 v = 1 dst = {send_sock = 0x7fe976b8cd98, to = {s = {sa_family = 62928, sa_data = "\313w\351\177\000\000PR\r\301\376\177\000"}, sin = {sin_family = 62928, sin_port = 30667, sin_addr = {s_addr = 32745}, sin_zero = "PR\r\301\376\177\000"}, sin6 = { sin6_family = 62928, sin6_port = 30667, sin6_flowinfo = 32745, sin6_addr = {__in6_u = {__u6_addr8 = "PR\r\301\376\177\000\000\b\325\314w\351\177\000", __u6_addr16 = {21072, 49421, 32766, 0, 54536, 30668, 32745, 0}, __u6_addr32 = { 3238875728, 32766, 2009912584, 32745}}}, sin6_scope_id = 3238875768}}, id = 32766, proto = -80 '\260', send_flags = {f = 30668, blst_imask = 32745}} tmp = 0x7fe976b89a28 "Y" new_uri = 0x74bc8 <error: Cannot access memory at address 0x74bc8> end = 0x73ee98 <yyparse+45891> "H\205\300u\034H\213\005\244\241\060" crt = 0x7ffec10d53d0 "\370rWg" cmd = 0x7fe9772ee920 len = 32745 user = 2007758101 uri = {user = {s = 0x7ffec10d4fd0 "", len = 1989012073}, passwd = {s = 0x850000007c <error: Cannot access memory at address 0x850000007c>, len = 0}, host = {s = 0x800000 "variable already exists: %s.%s\n", len = 7599272}, port = { s = 0x4000747c0 <error: Cannot access memory at address 0x4000747c0>, len = 8285792}, params = {s = 0xc0b58 <error: Cannot access memory at address 0xc0b58>, len = 8}, sip_params = {s = 0x7ffec10d50b0 "", len = 7061415}, headers = { s = 0x7ffec10d5000 "\200\314\270v\351\177", len = 6198293}, port_no = 0, proto = 0, type = ERROR_URI_T, flags = (unknown: 8197712), transport = {s = 0x7ffec10d50b0 "", len = 6774162}, ttl = {s = 0x7fe976b8cc80 "\001", len = 1991822800}, user_param = {s = 0x7ffec10d5102 "\r\301\376\177", len = -1056091901}, maddr = {s = 0xa4a026 <buf+806> "", len = 10788162}, method = {s = 0x7eb740 <__FUNCTION__.6644> "parse_via", len = 2007711308}, lr = { s = 0x40 <error: Cannot access memory at address 0x40>, len = -1472036457}, r2 = {s = 0x3 <error: Cannot access memory at address 0x3>, len = 5}, gr = {s = 0x7fe977cbf578 "\260\321\314w\351\177", len = 2007713726}, transport_val = { s = 0x5b839f8191d4a04 <error: Cannot access memory at address 0x5b839f8191d4a04>, len = -1056091984}, ttl_val = {s = 0x7fe9772e8d28 "", len = 1999563040}, user_param_val = {s = 0x7ffec10d51c0 " \351.w\351\177", len = 44108294}, maddr_val = {s = 0x7ffec10d51b0 "\377\377\377\377", len = 4}, method_val = {s = 0x0, len = 2009855440}, lr_val = {s = 0x7fe977cbf000 "", len = 4254684}, r2_val = {s = 0x7fe9772f5d78 "", len = 4209792}, gr_val = { s = 0x500000000 <error: Cannot access memory at address 0x500000000>, len = 981}} next_hop = {user = {s = 0x737361705f657669 <error: Cannot access memory at address 0x737361705f657669>, len = 1685221239}, passwd = {s = 0x3230313461336235 <error: Cannot access memory at address 0x3230313461336235>, len = -1056092592}, host = {s = 0x7fe975790d85 <_ul_sruid+5> "5b3a378e-4102-", len = -1056092592}, port = {s = 0x7fe9766d05d2 "%x%c%x%c", len = -1056092232}, params = {s = 0x1a <error: Cannot access memory at address 0x1a>, len = 0}, sip_params = { s = 0x7fe975790d85 <_ul_sruid+5> "5b3a378e-4102-", len = 1999991817}, headers = {s = 0x7fe9fbad8001 <error: Cannot access memory at address 0x7fe9fbad8001>, len = 1970867589}, port_no = 3461, proto = 30073, type = 32745, flags = (URI_USER_NORMALIZE | unknown: 1970867588), transport = {s = 0x7fe975790d85 <_ul_sruid+5> "5b3a378e-4102-", len = 1970867603}, ttl = {s = 0x7fe975790d9f <_ul_sruid+31> "", len = 1970867589}, user_param = { s = 0x7fe975790d9f <_ul_sruid+31> "", len = 0}, maddr = {s = 0x0, len = 0}, method = {s = 0x0, len = 0}, lr = {s = 0x766d05d2 <error: Cannot access memory at address 0x766d05d2>, len = -1056092072}, r2 = { ---Type <return> to continue, or q <return> to quit--- s = 0x3230313461336235 <error: Cannot access memory at address 0x3230313461336235>, len = -1056092384}, gr = {s = 0x7fe975315605 <_reg_sruid+5> "5b3a378e-4102-", len = -1056092384}, transport_val = {s = 0x7fe9766d05d2 "%x%c%x%c", len = -1056092024}, ttl_val = {s = 0x1a <error: Cannot access memory at address 0x1a>, len = 0}, user_param_val = {s = 0x7fe975315605 <_reg_sruid+5> "5b3a378e-4102-", len = 1999991817}, maddr_val = { s = 0x7ffefbad8001 <error: Cannot access memory at address 0x7ffefbad8001>, len = 1966167557}, method_val = {s = 0x7fe900000005 <error: Cannot access memory at address 0x7fe900000005>, len = 112}, lr_val = { s = 0x1 <error: Cannot access memory at address 0x1>, len = 6807573}, r2_val = {s = 0x7ffec10d4f90 "", len = 1991131152}, gr_val = {s = 0x7fe976b8ce40 "@", len = 1991131152}} u = 0x418310 <_start> port = 0 dst_host = 0x7fe977ab8ff7 <_dl_fixup+247> i = -1056091248 flags = 1952542303 avp = 0x675772f8 st = {flags = 1634558315, id = 27753, name = {n = 1336480768, s = {s = 0x41dd04694fa91400 <error: Cannot access memory at address 0x41dd04694fa91400>, len = -1875221347}, re = 0x41dd04694fa91400}, avp = 0x616b7873578b1f45} sct = 0x7ffec10d5190 sjt = 0x7fe977ccd1b0 rve = 0x7fe976b88f68 mct = 0x1 rv = 0x0 rv1 = 0x7fe9772ee920 c1 = {cache_type = 1991918472, val_type = 32745, c = {avp_val = {n = 1933545691, s = {s = 0x7fe9733f90db <net_flush+27> "H\213S\b\205\300\017\225\300H\211S\030\200\273\204", len = 93}, re = 0x7fe9733f90db <net_flush+27>}, pval = {rs = { s = 0x7fe9733f90db <net_flush+27> "H\213S\b\205\300\017\225\300H\211S\030\200\273\204", len = 93}, ri = 1933516845, flags = 32745}}, i2s = "\r\242\017\000\000\000\000@\b", '\000' <repeats 12 times>} s = {s = 0x7ffec10d4dc0 "kamailio", len = -1056092768} srevp = {0x7ffec10d5220, 0x7ffec10d52b0} evp = {data = 0x0, rcv = 0x0, dst = 0x0} mod_f_params = {{type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}, {type = NOSUBTYPE, u = {number = 0, string = 0x0, str = {s = 0x0, len = 0}, data = 0x0, attr = 0x0, select = 0x0}}} __FUNCTION__ = "do_action" #10 0x0000000000488671 in run_actions (h=0x7ffec10d53c0, a=0x7fe976b89a28, msg=0x7fe976ba48e8) at core/action.c:1565 t = 0x7fe976b89a28 ret = -1 mod = 0xa49dbc <buf+188> ms = 0 __FUNCTION__ = "run_actions" #11 0x0000000000488dde in run_top_route (a=0x7fe976b89a28, msg=0x7fe976ba48e8, c=0x0) at core/action.c:1654 ctx = {rec_lev = 4, run_flags = 0, last_retcode = 1, jmp_env = {{__jmpbuf = {1733784312, -8654762288311494772, 4293392, 140732137299520, 0, 0, -8654762288282134644, 8654116410500388748}, __mask_was_saved = 0, __saved_mask = {__val = { 18446744073709551615, 140732137296976, 140640693095286, 4293392, 0, 4611686022722355200, 140640696027368, 140732137297072, 5482162, 6286889192, 140640696027368, 1073741825, 0, 140732137297072, 1733784312, 4293392}}}}} p = 0x7ffec10d53c0 ret = 0 sfbk = 0 #12 0x00000000005a05a7 in receive_msg ( buf=0xa49d00 <buf> "NOTIFY sip:192.168.55.20 SIP/2.0\r\nVia: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-23797-1-3\r\nFrom: sip:1000@192.168.55.20;tag=1\r\nTo: sip:1000@192.168.55.20\r\nCall-ID: 1-23797@127.0.1.1\r\nCSeq: 2 NOTI"..., len=806, rcv_info=0x7ffec10d5960) at core/receive.c:277 msg = 0x7fe976ba48e8 ctx = {rec_lev = 1939005104, run_flags = 32745, last_retcode = 1939003429, jmp_env = {{__jmpbuf = {1272, 6807573, 0, 140640714020104, 140732137297376, 140732137297360, 4282249833, 4254878}, __mask_was_saved = -1, __saved_mask = {__val = { 0, 140640703678312, 140640713961472, 474984, 786784, 788304, 8, 16, 140640695238672, 140732137297488, 6198293, 0, 21483034192, 140732137297664, 10741184, 0}}}}} bctx = 0x77ab8ff7 ret = 0 stats_on = 0 ---Type <return> to continue, or q <return> to quit--- tvb = {tv_sec = 140638704107521, tv_usec = 140640714019248} tve = {tv_sec = 5, tv_usec = 0} tz = {tz_minuteswest = 0, tz_dsttime = 0} diff = 0 inb = { s = 0xa49d00 <buf> "NOTIFY sip:192.168.55.20 SIP/2.0\r\nVia: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-23797-1-3\r\nFrom: sip:1000@192.168.55.20;tag=1\r\nTo: sip:1000@192.168.55.20\r\nCall-ID: 1-23797@127.0.1.1\r\nCSeq: 2 NOTI"..., len = 806} netinfo = {data = {s = 0x7ffec10d5670 "@Z\r\301\376\177", len = 2009912584}, rcv = 0x7ffec10d5698, dst = 0x7fe977ccd1b0} keng = 0x0 evp = {data = 0x7ffec10d5540, rcv = 0x7ffec10d5960, dst = 0x0} __FUNCTION__ = "receive_msg" #13 0x00000000004b93a1 in udp_rcv_loop () at core/udp_server.c:554 len = 806 buf = "NOTIFY sip:192.168.55.20 SIP/2.0\r\nVia: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-23797-1-3\r\nFrom: sip:1000@192.168.55.20;tag=1\r\nTo: sip:1000@192.168.55.20\r\nCall-ID: 1-23797@127.0.1.1\r\nCSeq: 2 NOTI"... tmp = 0x7ffec10d5ba0 "`]\r\301\376\177" from = 0x7fe976ba3688 fromlen = 16 ri = {src_ip = {af = 2, len = 4, u = {addrl = {140731214375104, 0}, addr32 = {2315954368, 32766, 0, 0}, addr16 = {43200, 35338, 32766, 0, 0, 0, 0, 0}, addr = "\300\250\n\212\376\177\000\000\000\000\000\000\000\000\000"}}, dst_ip = {af = 2, len = 4, u = {addrl = {339192000, 0}, addr32 = {339192000, 0, 0, 0}, addr16 = {43200, 5175, 0, 0, 0, 0, 0, 0}, addr = "\300\250\067\024", '\000' <repeats 11 times>}}, src_port = 5060, dst_port = 5060, proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 2, sa_data = "\023\304\300\250\n\212\000\000\000\000\000\000\000"}, sin = {sin_family = 2, sin_port = 50195, sin_addr = {s_addr = 2315954368}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 50195, sin6_flowinfo = 2315954368, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, bind_address = 0x7fe976b73840, proto = 1 '\001'} evp = {data = 0x0, rcv = 0x0, dst = 0x0} printbuf = '\000' <repeats 16 times>, "pW\r\301\376\177\000\000\244\a\352m\351\177\000\000\020\203A\000\000\000\000\000@^\r\301\376\177", '\000' <repeats 18 times>, "\240W\r\301\003\000\000\000\370bdr\351\177\000\000`W\205r\351\177\000\000p1\272v\351\177\000\000\000X\r\301\376\177\000\000\300\331_r\351\177\000\000\003\000\000\000\005\000\000\000\030c\270v\005\000\000\000\020Y\r\301\376\177\000\064\020X\r\301\376\177\000\000`Z\r\301\376\177\000\000\244\a\352m\351\177\000\000\020\203A\000\000\000\000\000@^\r\301\376\177", '\000' <repeats 18 times>, "\200X\r\301\376\177\000\000"... i = -1 j = 0 l = 1588414302 __FUNCTION__ = "udp_rcv_loop" #14 0x0000000000424437 in main_loop () at main.c:1626 i = 4 pid = 0 si = 0x7fe976b73840 si_desc = "udp receiver child=4 sock=192.168.55.20:5060\000\177\000\000\001\000\000\000\000\000\000\000\001\000\000\000\f\b\000\000\370rWg\000\000\000\000\060\r\352m\351\177\000\000\360Z\r\301\001\000\000\000\310V\301m\351\177\000\000\360Z\r\301\376\177\000\000\326\065g\000\000\000\000\000\020\203A\000\000\000\000\000\340\245\270v\351\177\000" nrprocs = 8 woneinit = 1 __FUNCTION__ = "main_loop" #15 0x000000000042b985 in main (argc=3, argv=0x7ffec10d5e48) at main.c:2645 cfg_stream = 0xeb8010 c = -1 r = 0 tmp = 0x0 tmp_len = 32745 port = 2007714157 proto = 0 options = 0x74c8b0 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:" ret = -1 ---Type <return> to continue, or q <return> to quit--- seed = 4176688069 rfd = 4 debug_save = 0 debug_flag = 0 dont_fork_cnt = 0 n_lst = 0x7ffec10d5d00 p = 0x7ffec10d5e68 "\223}\r\301\376\177" st = {st_dev = 99, st_ino = 29, st_nlink = 2, st_mode = 16877, st_uid = 103, st_gid = 109, __pad0 = 0, st_rdev = 0, st_size = 80, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1530294610, tv_nsec = 578894952}, st_mtim = { tv_sec = 1530541796, tv_nsec = 307604840}, st_ctim = {tv_sec = 1530541796, tv_nsec = 307604840}, __glibc_reserved = {0, 0, 0}} __FUNCTION__ = "main" (gdb) `
[notify.patch.txt](https://github.com/kamailio/kamailio/files/2155657/notify.patch.txt)
Issue seen from beginning when using module together with Kamailio IMS. SIPp scenario tries to simulate register/unregister as seen in IMS network.
launched with: sipp -sf notify.xml -inf register.csv 192.168.55.20 -r 1 -m 1 -default_behaviors none
[notify.csv.txt](https://github.com/kamailio/kamailio/files/2155708/notify.csv.txt)
[notify.xml.txt](https://github.com/kamailio/kamailio/files/2155714/notify.xml.txt)
Hi guys,
Seeing the https://github.com/kamailio/kamailio/pull/1144 about fixing a memory leak in the tm module due to incorrectly using FL_SHM_CLONE when freing path_vec memory, isn't there a case that a similar patch should be applied to corex/corex_lib.c ?
Inside corex_append_branch(..) function:
/* if this is a cloned message, don't free the path vector as it was copied into shm memory and will be freed as contiguous block*/ if (!(msg->msg_flags&FL_SHM_CLONE)) { if(msg->path_vec.s!=0) pkg_free(msg->path_vec.s); msg->path_vec.s = 0; msg->path_vec.len = 0; }
Maybe we should switch to:
if(msg->path_vec.s!=0) pkg_free(msg->path_vec.s); msg->path_vec.s = 0; msg->path_vec.len = 0;
If you agree this is the case, I will prepare a pull request.
Thank you, Lucian
Hi guys,
Seeing the https://github.com/kamailio/kamailio/pull/1144 about fixing a memory leak in the tm module due to incorrectly using FL_SHM_CLONE when freing path_vec memory, isn't there a case that a similar patch should be applied to corex/corex_lib.c ?
Inside corex_append_branch(..) function:
/* if this is a cloned message, don't free the path vector as it was copied into shm memory and will be freed as contiguous block*/ if (!(msg->msg_flags&FL_SHM_CLONE)) { if(msg->path_vec.s!=0) pkg_free(msg->path_vec.s); msg->path_vec.s = 0; msg->path_vec.len = 0; }
Maybe we should switch to:
if(msg->path_vec.s!=0) pkg_free(msg->path_vec.s); msg->path_vec.s = 0; msg->path_vec.len = 0;
If you agree this is the case, I will prepare a pull request.
Thank you, Lucian
Hello,
well, not sure at this moment because would take some time to analyze what execution paths can end up there. I did look and I saw that path_vec field is cloned in shm, so doing pkg_free() on that value will fail.
If it ends up to that code when the value is not the cloned one, then it should be ok. On the other hand, the shm clone flag can be set even when path_vec points to a pkg address to due execution on a faked request.
Because of these cases, I just added a helper function to check if a pointer is inside shared memory, see:
* https://github.com/kamailio/kamailio/commit/1a20bcaa35db4aa80d6460dfb0fb9c70...
Maybe this is safer overall and we can change in other parts where we rely on some tricks to see if it is pkg or shm -- in many cases related to processing in context of transaction/tm module, pkg needs to be free and shm is cloned in a continuous block to be freed at once.
If you find this solution acceptable, then you can go ahead and push a commit using shm_address_in(). That might be safe to be added in reset_path_vector() as well, to avoid troubles if someone calls it for a shm cloned shm structure.
Cheers, Daniel
On 13.07.18 13:06, Lucian Balaceanu wrote:
Hi guys,
Seeing the https://github.com/kamailio/kamailio/pull/1144 about fixing a memory leak in the tm module due to incorrectly using FL_SHM_CLONE when freing path_vec memory, isn't there a case that a similar patch should be applied to corex/corex_lib.c ?
Inside corex_append_branch(..) function:
/* if this is a cloned message, don't free the path vector as it was copied into shm memory and will be freed as contiguous block*/ if (!(msg->msg_flags&FL_SHM_CLONE)) { if(msg->path_vec.s!=0) pkg_free(msg->path_vec.s); msg->path_vec.s = 0; msg->path_vec.len = 0; }
Maybe we should switch to:
if(msg->path_vec.s!=0) pkg_free(msg->path_vec.s); msg->path_vec.s = 0; msg->path_vec.len = 0;
If you agree this is the case, I will prepare a pull request.
Thank you, Lucian
Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
Thank you for the answer. We are doing some tests and if they prove meaningful I'll drop a line about this corex_lib append_branch.
Have a nice day,
Lucian
On 13.07.2018 15:09, Daniel-Constantin Mierla wrote:
Hello,
well, not sure at this moment because would take some time to analyze what execution paths can end up there. I did look and I saw that path_vec field is cloned in shm, so doing pkg_free() on that value will fail.
If it ends up to that code when the value is not the cloned one, then it should be ok. On the other hand, the shm clone flag can be set even when path_vec points to a pkg address to due execution on a faked request.
Because of these cases, I just added a helper function to check if a pointer is inside shared memory, see:
* https://github.com/kamailio/kamailio/commit/1a20bcaa35db4aa80d6460dfb0fb9c70...
Maybe this is safer overall and we can change in other parts where we rely on some tricks to see if it is pkg or shm -- in many cases related to processing in context of transaction/tm module, pkg needs to be free and shm is cloned in a continuous block to be freed at once.
If you find this solution acceptable, then you can go ahead and push a commit using shm_address_in(). That might be safe to be added in reset_path_vector() as well, to avoid troubles if someone calls it for a shm cloned shm structure.
Cheers, Daniel
On 13.07.18 13:06, Lucian Balaceanu wrote:
Hi guys,
Seeing the https://github.com/kamailio/kamailio/pull/1144 about fixing a memory leak in the tm module due to incorrectly using FL_SHM_CLONE when freing path_vec memory, isn't there a case that a similar patch should be applied to corex/corex_lib.c ?
Inside corex_append_branch(..) function:
/* if this is a cloned message, don't free the path vector as it was copied into shm memory and will be freed as contiguous block*/ if (!(msg->msg_flags&FL_SHM_CLONE)) { if(msg->path_vec.s!=0) pkg_free(msg->path_vec.s); msg->path_vec.s = 0; msg->path_vec.len = 0; }
Maybe we should switch to:
if(msg->path_vec.s!=0) pkg_free(msg->path_vec.s); msg->path_vec.s = 0; msg->path_vec.len = 0;
If you agree this is the case, I will prepare a pull request.
Thank you, Lucian
Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
@lasseo can you, please obtain the value of `*_r`, `_r->slot` and `*_r->slot` from gdb
@linuxmaniac , Something like this?
(gdb) print *_r $3 = {domain = 0x7fe96dea0dd8, aor = {s = 0x7fe96deb24d8 "\320\063\r\301\376\177", len = 6}, aorhash = 2857371829, contacts = 0x0, slot = 0x0, prev = 0x0, next = 0x0}
(gdb) print _r->slot $4 = (struct hslot *) 0x0
(gdb) print *_r->slot Cannot access memory at address 0x0
@lasseo - can you make the patch for master branch? It doesn't apply there. We first fix the master branch and then backport. Eventually make a pull request, it is easier to review and merge the patch.
Ok, great. Will try create a patch during the evening.
Patch from PR merged in master and backported in 5.1 branch. For use_domain 1, I think it is better to create a new issue, if something needs to be fixed there.
Closed #1579.
-
Daniel-Constantin Mierla -
Daniel-Constantin Mierla -
Lars Olsson
-
Lucian Balaceanu -
ng-voice GmbH
-
Victor Seva