[kamailio] Bad usage of presence, xcap server and pidf-manipulation makes Kamailio crash (#441)
Hi everyone,
``` version: kamailio 440-dev7 (i386/linux) c73b9c-dirty flags: STATS: Off, EXTRA_DEBUG, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select id: c73b9c -dirty compiled on 10:17:41 Dec 14 2015 with gcc 493 ```
A call of "pres_refresh_watchers" on a malformed (empty) pidf document makes Kamailio crash Steps to reproduce:
1 Send a PUT of an empty PIDF document on /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index
2 Then try to process it with pres_refresh_watchers("$var(uri)", "presence", 2, "$xcapuri(u=>uri_adoc)", "$xcapuri(u=>file)")
3 Kamailio crashes with the following messages in logs:
``` Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: request [HTTP/11] PUT => /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Accessing XCAP root Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Parsed XCAP URI : {data : /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, uri : /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, auid : pidf-manipulation, root : /xcap-root/, type : 16, xuid : sip:alice@exampleorg, file : index, node : <null>, target : <null>, domain : /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, uri_adoc : /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index} Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Validating user URI Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: User URI is valid Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: PUT sip:alice@exampleorg Dec 14 11:10:41 kamailio-0[9460]: ERROR: xcap_server [xcap_serverc:574]: w_xcaps_put(): invalid body parameter Dec 14 11:10:41 kamailio-0[9460]: ERROR: presence [presentityc:844]: update_presentity(): No E_Tag match index Dec 14 11:10:41 kamailio-0[9365]: ALERT: <core> [mainc:738]: handle_sigs(): child process 9460 exited by a signal 11 Dec 14 11:10:41 kamailio-0[9365]: ALERT: <core> [mainc:741]: handle_sigs(): core was generated ```
We got an error with "invalid body parameter" which is good but this wont prevent Kamailio from continuing and crashing
Here is a config code snippet:
``` [] xcaps_put("$var(uri)", "$hu", "$rb"); pres_refresh_watchers("$var(uri)", "presence", 2, "$xcapuri(u=>uri_adoc)", "$xcapuri(u=>file)"); [] ```
Maybe "xcaps_put" return value maybe used to prevent such issues But my opinion is that it should not crash
Here is the stack trace:
``` Program terminated with signal SIGSEGV, Segmentation fault #0 0xb1ab8a4d in update_hard_presentity (pres_uri=0xbffd5710, event=0xb2623ae8, file_uri=0xbffd5720, filename=0xbffd5728) at publishc:592 592 if(pidf_doc->s) (gdb) bt #0 0xb1ab8a4d in update_hard_presentity (pres_uri=0xbffd5710, event=0xb2623ae8, file_uri=0xbffd5720, filename=0xbffd5728) at publishc:592 #1 0xb1a8833b in pres_refresh_watchers (pres=0xbffd5710, event=0xbffd5718, type=2, file_uri=0xbffd5720, filename=0xbffd5728) at presencec:691 #2 0xb1a96ded in w_pres_refresh_watchers5 (msg=0xbffd6a58, puri=0xb6e15a78 "\260\274", <incomplete sequence \341\266>, pevent=0xb6e15aec "\344\225\341\266 ", ptype=0xb6e15b2c "x\220\341\266\001", furi=0xb6e730dc "", fname=0xb6e73150 <incomplete sequence \341\266>) at presencec:1722 #3 0x08062367 in do_action (h=0xbffd69b0, a=0xb6e1a2c4, msg=0xbffd6a58) at actionc:1087 #4 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6e17b34, msg=0xbffd6a58) at actionc:1549 #5 0x0806a717 in do_action (h=0xbffd69b0, a=0xb6e2c64c, msg=0xbffd6a58) at actionc:1301 #6 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6e2c64c, msg=0xbffd6a58) at actionc:1549 #7 0x0806a717 in do_action (h=0xbffd69b0, a=0xb6e55490, msg=0xbffd6a58) at actionc:1301 #8 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6df39e0, msg=0xbffd6a58) at actionc:1549 #9 0x08062021 in do_action (h=0xbffd69b0, a=0xb6e5566c, msg=0xbffd6a58) at actionc:1045 #10 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6ded644, msg=0xbffd6a58) at actionc:1549 #11 0xb1da33a5 in xhttp_process_request (orig_msg=0xb6e87774, new_buf=0xb6e87d40 "PUT /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index HTTP/11\r\nVia: SIP/20/TCP 1921681501:40618\r\nHost: xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: p", new_len=331) at xhttp_modc:282 #12 0xb1da42af in xhttp_handler (msg=0xb6e87774) at xhttp_modc:357 #13 0x081127ab in nonsip_msg_run_hooks (msg=0xb6e87774) at nonsip_hooksc:111 #14 0x081368b1 in receive_msg ( buf=0x9cdf838 "PUT /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index HTTP/11\r\nHost: xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: python-requests/270 CPython/276 Lin", len=293, rcv_info=0xb26398ac) at receivec:145 #15 0x08208f85 in receive_tcp_msg ( tcpbuf=0xb2639a68 "PUT /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index HTTP/11\r\nHost: xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: python-requests/270 CPython/276 Lin", len=293, rcv_info=0xb26398ac, con=0xb2639898) at tcp_readc:1254 #16 0x0820bb37 in tcp_read_req (con=0xb2639898, bytes_read=0xbffd7208, read_flags=0xbffd720c) at tcp_readc:1410 #17 0x0820e346 in handle_io (fm=0xb6e788a4, events=1, idx=-1) at tcp_readc:1584 #18 0x082016c2 in io_wait_loop_epoll (h=0x8411480 <io_w>, t=2, repeat=0) at io_waith:1061 #19 0x0820fd0a in tcp_receive_loop (unix_sock=37) at tcp_readc:1754 #20 0x081f8fc8 in tcp_init_children () at tcp_mainc:4788 #21 0x080df306 in main_loop () at mainc:1679 #22 0x080e4ca1 in main (argc=17, argv=0xbffd7734) at mainc:2597 ```
Tell me if you need more information ? Maybe the full stack
I think the error is here (presence/publishc:590-595) :
``` if(pidf_doc) { if(pidf_doc->s) pkg_free(pidf_doc->s); pkg_free(pidf_doc); } ```
Maybe more validation should be done on "pidf_doc" before trying to access "pidf_doc->s" But I haven't investigated the issue more than that
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/441
I pushed a commit to master branch, can you fetch latest git and try again?
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/441#issuecomment-164473501
Hello Daniel,
Looks like it is solved, not crashing anymore:
``` [...] Dec 14 16:58:25 banshee1 kamailio-0[16952]: INFO: <script>: XHTTP: Validating user URI Dec 14 16:58:25 banshee1 kamailio-0[16952]: INFO: <script>: XHTTP: User URI is valid Dec 14 16:58:25 banshee1 kamailio-0[16952]: INFO: <script>: XHTTP: PUT sip:alice@example.org Dec 14 16:58:25 banshee1 kamailio-0[16952]: ERROR: xcap_server [xcap_server.c:574]: w_xcaps_put(): invalid body parameter [...] ```
Thank you
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/441#issuecomment-164476218
Closed #441.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/441#event-491156274
Thanks for testing!
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/441#issuecomment-164481726
-
Daniel-Constantin Mierla -
foucse