THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. A new Flyspray task has been opened. Details are below. User who did this - Bayan Towfiq (btowfiq) Attached to Project - sip-router Summary - Double Free -- Crash/Coredump and possible security vulnerability Task Type - Bug Report Category - dialog Status - Assigned Assigned To - Timo Reimann Operating System - Linux Severity - Critical Priority - Normal Reported Version - Development Due in Version - Undecided Due Date - Undecided Details - version: kamailio 3.2.0 (x86_64/linux) 639f0a flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: 639f0a compiled on 07:18:31 Oct 29 2011 with gcc 4.4.3 Dialog module crashed in kamailio 3.2.0 with the following log error (double free) and below backtrace. This is a potential remote security vulnerability in addition to the crash which is why severity is set to Critical. Please let me know if further information is needed to debug. Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8282]: CRITICAL: dialog [dlg_hash.c:597]: bogus ref -1 with cnt 1 for dlg 0x7f47dbd0eee8 [16086:1982422345] with clid &#39;1124787051_76787956(a)4.55.17.35&#39; and tags 'gK0a13fca4' '' Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8282]: : <core> [mem/q_malloc.c:457]: BUG: qm_free: freeing already freed pointer, first free: dialog: dlg_hash.c: destroy_dlg(217) - aborting Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8294]: : <core> [pass_fd.c:293]: ERROR: receive_fd: EOF on 18 Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8272]: ALERT: <core> [main.c:751]: child process 8282 exited by a signal 6 Nov 6 18:04:33 guru /usr/local/sbin/kamailio[8272]: ALERT: <core> [main.c:754]: core was generated Nov 6 18:05:33 guru /usr/local/sbin/kamailio[8272]: : <core> [main.c:660]: BUG: shutdown timeout triggered, dying... Nov 6 18:05:34 guru init: kamailio main process (8272) killed by ABRT signal Nov 6 18:05:34 guru init: kamailio main process ended, respawning Nov 6 18:05:34 guru kamailio: WARNING: <core> [daemonize.c:352]: pid file contains old pid, replacing pid Full backtrace below: (gdb) bt full #0 0x00007f47f38b3a75 in raise () from /lib/libc.so.6 No symbol table info available. #1 0x00007f47f38b75c0 in abort () from /lib/libc.so.6 No symbol table info available. #2 0x0000000000534708 in qm_free (qm=0x7f47db9be000, p=0x7f47dbe5d3a8, file=0x7f47ec231bef "dialog: dlg_hash.c", func=0x7f47ec231f52 "destroy_dlg", line=217) at mem/q_malloc.c:458 f = 0x7f47dbe5d378 size = <value optimized out> #3 0x00007f47ec218161 in destroy_dlg (dlg=0x7f47dbd0eee8) at dlg_hash.c:217 ret = <value optimized out> __FUNCTION__ = "destroy_dlg" #4 0x00007f47ec21a545 in unref_dlg (dlg=0x7f47dbd0eee8, cnt=0) at dlg_hash.c:597 d_entry = 0x7f47dbcb1c80 #5 0x00007f47f193d5bd in free_cell (dead_cell=0x7f47dbe48920) at h_table.c:175 b = <value optimized out> i = <value optimized out> rpl = <value optimized out> tt = <value optimized out> foo = <value optimized out> cbs = 0x7f47dbcc5970 __FUNCTION__ = "free_cell" #6 0x00007f47f195991b in wait_handler (ti=<value optimized out>, wait_tl=<value optimized out>, data=<value optimized out>) at timer.c:676 p_cell = 0x7f47dbe48920 #7 0x000000000051f4fd in timer_list_expire () at timer.c:894 tl = 0x7f47dbe489a0 ret = <value optimized out> #8 timer_handler () at timer.c:959 saved_ticks = 444520143 run_slow_timer = <value optimized out> #9 timer_main () at timer.c:998 No locals. #10 0x000000000046454f in main_loop () at main.c:1655 i = 8 pid = <value optimized out> si = 0x0 si_desc = "udp receiver child=7 sock=70.167.153.130:5060\000\000\000\000\000@\020", '\000' <repeats 12 times>, "\016\b\000\000\000\000\000\000\000\200\271،*\306v&\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\300\v\215\000\000\000\000\000\"\000\000\000\000\000\000\000\000\000@\020", '\000' <repeats 11 times> #11 0x0000000000465dd2 in main (argc=11, argv=0x7fff47fcb288) at main.c:2475 cfg_stream = <value optimized out> c = <value optimized out> r = <value optimized out> tmp = 0x7fff47fcbe83 "" tmp_len = 0 port = <value optimized out> proto = <value optimized out> ret = <value optimized out> seed = 1033789824 rfd = <value optimized out> debug_save = 272629760 debug_flag = 34 dont_fork_cnt = 0 n_lst = 0x10400000 p = <value optimized out> (gdb) More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=173 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.