Re: [SR-Users] proposed patch for the registrar module - crash fix

Hi We think that we found and fix a bug in the registrar module. The bug is hard to reproduce, and it crashes our Kamailio from time to time (once at 2-3 weeks for us) . In save.c, function update_contacts() there are two places where we free() a pointer and then we reuse it, line 700 and line 730: while(ptr){ ptr0 = ptr; if(ptr!=c) ul.delete_ucontact(_r, ptr); ptr=ptr0->next; } And then from inside delete_ucontact(_r,ptr) we call mem_delete_ucontact(_r, _c) which calls free_ucontact(_c) , which calls shm_free(_c) . _c is actually our ptr. If another process writes at the location pointed by ptr during the "while" loop , the current process will crash. The bug affects 4.0.4, 4.0.5 and maybe older versions. We keep the location table in memory, no database backend, and we do alot of REGISTER/un-REGISTER in our environment, and maybe that's why this bug was not spotted by the community before. Just to clarify, this fix is in relation with this post: http://lists.sip-router.org/pipermail/sr-dev/2014-February/022934.html Please take into consideration the attached patch provided by the Libon Voice Team. Regards, Dragos Oancea _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users(a)lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users