Hello,

I expect to be due to an issue fixed by commit f32354f9aae3afadca98e5a1cf254d9286a3a985 .

Apparently it was not backported to 4.0. I am considering to release 4.0.7 this Friday, where to backport appropriate fixes from 4.1 branch.

Cheers,
Daniel

On 04/11/14 18:18, Dragos Oancea wrote:
Hi all & hi Daniel  , 

We had a crash with version 4.0.5 today . 
I looks like it happens due to a race condition between a provisional response (183) and the generation of a 408 .
We send the INVITE, get a `100 Trying` from upstream , then we get a `183 Session Progress` from upstream , then after exactly 1 minute , we get another `183  Session Progress` from upstream. At this moment kamailio crashed.

Some tm params we have  :
modparam("tm", "fr_timer", 5000)
modparam("tm", "fr_inv_timer", 60000)    <- our final reply timer is 1 minute .
modparam("tm", "restart_fr_on_each_reply", 1)


GDB output and logs here:

kamailio 4.0.5 crash - in fake_req() - race cond - Pastebin.com
 
 
image
 
 
 
 
 
kamailio 4.0.5 crash - in fake_req() - race cond - Paste...
(gdb) bt #0  0x00007f4d93129a32 in memcpy () from /lib64/libc.so.6

Preview by Yahoo

 


In fake_req() from t_reply.c , the pointer shmem_msg->new_uri.s which is passed to memcpy becomes invalid.

memcpy( faked_req->new_uri.s, shmem_msg->new_uri.s,faked_req->new_uri.len);
(gdb) p  shmem_msg->new_uri
$3 = {s = 0x0, len = 0}
 
If this bug is not  supposed to be fixed in 4.2.0 , we can help with debugging .


Regards,
Dragos






_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users


-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Nov 24-27, Berlin - http://www.asipto.com