[kamailio] Bad usage of presence, xcap server and pidf-manipulation makes Kamailio crash (#441)
14 Dec
2015
14 Dec
'15
12:40 p.m.
Hi everyone,
```
version: kamailio 440-dev7 (i386/linux) c73b9c-dirty
flags: STATS: Off, EXTRA_DEBUG, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS,
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC,
TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024,
BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select
id: c73b9c -dirty
compiled on 10:17:41 Dec 14 2015 with gcc 493
```
A call of "pres_refresh_watchers" on a malformed (empty) pidf document makes
Kamailio crash Steps to reproduce:
1 Send a PUT of an empty PIDF document on
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index
2 Then try to process it with pres_refresh_watchers("$var(uri)",
"presence", 2, "$xcapuri(u=>uri_adoc)",
"$xcapuri(u=>file)")
3 Kamailio crashes with the following messages in logs:
```
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: request [HTTP/11] PUT =>
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Accessing XCAP root
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Parsed XCAP URI : {data :
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, uri :
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, auid : pidf-manipulation,
root : /xcap-root/, type : 16, xuid : sip:alice@exampleorg, file : index, node :
<null>, target : <null>, domain :
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, uri_adoc :
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index}
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Validating user URI
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: User URI is valid
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: PUT sip:alice@exampleorg
Dec 14 11:10:41 kamailio-0[9460]: ERROR: xcap_server [xcap_serverc:574]: w_xcaps_put():
invalid body parameter
Dec 14 11:10:41 kamailio-0[9460]: ERROR: presence [presentityc:844]: update_presentity():
No E_Tag match index
Dec 14 11:10:41 kamailio-0[9365]: ALERT: <core> [mainc:738]: handle_sigs(): child
process 9460 exited by a signal 11
Dec 14 11:10:41 kamailio-0[9365]: ALERT: <core> [mainc:741]: handle_sigs(): core was
generated
```
We got an error with "invalid body parameter" which is good but this wont
prevent Kamailio from continuing and crashing
Here is a config code snippet:
```
[]
xcaps_put("$var(uri)", "$hu", "$rb");
pres_refresh_watchers("$var(uri)", "presence", 2,
"$xcapuri(u=>uri_adoc)", "$xcapuri(u=>file)");
[]
```
Maybe "xcaps_put" return value maybe used to prevent such issues But my opinion
is that it should not crash
Here is the stack trace:
```
Program terminated with signal SIGSEGV, Segmentation fault
#0 0xb1ab8a4d in update_hard_presentity (pres_uri=0xbffd5710, event=0xb2623ae8,
file_uri=0xbffd5720, filename=0xbffd5728) at publishc:592
592 if(pidf_doc->s)
(gdb) bt
#0 0xb1ab8a4d in update_hard_presentity (pres_uri=0xbffd5710, event=0xb2623ae8,
file_uri=0xbffd5720, filename=0xbffd5728) at publishc:592
#1 0xb1a8833b in pres_refresh_watchers (pres=0xbffd5710, event=0xbffd5718, type=2,
file_uri=0xbffd5720, filename=0xbffd5728) at presencec:691
#2 0xb1a96ded in w_pres_refresh_watchers5 (msg=0xbffd6a58, puri=0xb6e15a78
"\260\274", <incomplete sequence \341\266>, pevent=0xb6e15aec
"\344\225\341\266 ",
ptype=0xb6e15b2c "x\220\341\266\001", furi=0xb6e730dc "",
fname=0xb6e73150 <incomplete sequence \341\266>) at presencec:1722
#3 0x08062367 in do_action (h=0xbffd69b0, a=0xb6e1a2c4, msg=0xbffd6a58) at actionc:1087
#4 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6e17b34, msg=0xbffd6a58) at
actionc:1549
#5 0x0806a717 in do_action (h=0xbffd69b0, a=0xb6e2c64c, msg=0xbffd6a58) at actionc:1301
#6 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6e2c64c, msg=0xbffd6a58) at
actionc:1549
#7 0x0806a717 in do_action (h=0xbffd69b0, a=0xb6e55490, msg=0xbffd6a58) at actionc:1301
#8 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6df39e0, msg=0xbffd6a58) at
actionc:1549
#9 0x08062021 in do_action (h=0xbffd69b0, a=0xb6e5566c, msg=0xbffd6a58) at actionc:1045
#10 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6ded644, msg=0xbffd6a58) at
actionc:1549
#11 0xb1da33a5 in xhttp_process_request (orig_msg=0xb6e87774,
new_buf=0xb6e87d40 "PUT
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index HTTP/11\r\nVia: SIP/20/TCP
1921681501:40618\r\nHost: xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: p",
new_len=331) at xhttp_modc:282
#12 0xb1da42af in xhttp_handler (msg=0xb6e87774) at xhttp_modc:357
#13 0x081127ab in nonsip_msg_run_hooks (msg=0xb6e87774) at nonsip_hooksc:111
#14 0x081368b1 in receive_msg (
buf=0x9cdf838 "PUT /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index
HTTP/11\r\nHost: xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent:
python-requests/270 CPython/276 Lin", len=293, rcv_info=0xb26398ac) at receivec:145
#15 0x08208f85 in receive_tcp_msg (
tcpbuf=0xb2639a68 "PUT
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index HTTP/11\r\nHost:
xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: python-requests/270 CPython/276
Lin", len=293, rcv_info=0xb26398ac, con=0xb2639898) at tcp_readc:1254
#16 0x0820bb37 in tcp_read_req (con=0xb2639898, bytes_read=0xbffd7208,
read_flags=0xbffd720c) at tcp_readc:1410
#17 0x0820e346 in handle_io (fm=0xb6e788a4, events=1, idx=-1) at tcp_readc:1584
#18 0x082016c2 in io_wait_loop_epoll (h=0x8411480 <io_w>, t=2, repeat=0) at
io_waith:1061
#19 0x0820fd0a in tcp_receive_loop (unix_sock=37) at tcp_readc:1754
#20 0x081f8fc8 in tcp_init_children () at tcp_mainc:4788
#21 0x080df306 in main_loop () at mainc:1679
#22 0x080e4ca1 in main (argc=17, argv=0xbffd7734) at mainc:2597
```
Tell me if you need more information ? Maybe the full stack
I think the error is here (presence/publishc:590-595) :
```
if(pidf_doc)
{
if(pidf_doc->s)
pkg_free(pidf_doc->s);
pkg_free(pidf_doc);
}
```
Maybe more validation should be done on "pidf_doc" before trying to access
"pidf_doc->s" But I haven't investigated the issue more than that
---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/441
14 Dec
14 Dec
5:52 p.m.
I pushed a commit to master branch, can you fetch latest git and try again?
---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/441#issuecomment-164473501
6:02 p.m.
Hello Daniel,
Looks like it is solved, not crashing anymore:
```
[...]
Dec 14 16:58:25 banshee1 kamailio-0[16952]: INFO: <script>: XHTTP: Validating user
URI
Dec 14 16:58:25 banshee1 kamailio-0[16952]: INFO: <script>: XHTTP: User URI is
valid
Dec 14 16:58:25 banshee1 kamailio-0[16952]: INFO: <script>: XHTTP: PUT
sip:alice@example.org
Dec 14 16:58:25 banshee1 kamailio-0[16952]: ERROR: xcap_server [xcap_server.c:574]:
w_xcaps_put(): invalid body parameter
[...]
```
Thank you
---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/441#issuecomment-164476218
6:17 p.m.
Closed #441.
---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/441#event-491156274
6:17 p.m.
Thanks for testing!
---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/441#issuecomment-164481726
3267
days inactive
3267
days old
4 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
foucse