Hi
We think that we found and
fix a bug in the registrar module. The bug is hard to
reproduce, and it crashes our Kamailio from time to time
(once at 2-3 weeks for us) .
In save.c, function update_contacts() there are two places
where we free() a pointer and then we reuse it, line 700 and
line 730:
while(ptr){
ptr0 = ptr;
if(ptr!=c)
ul.delete_ucontact(_r, ptr);
ptr=ptr0->next;
}
And then from inside delete_ucontact(_r,ptr) we call
mem_delete_ucontact(_r, _c) which calls
free_ucontact(_c) , which calls shm_free(_c) . _c is
actually our ptr.
If another process writes at the location pointed by ptr
during the "while" loop , the current process will crash.
The bug affects 4.0.4, 4.0.5 and maybe older versions.
We keep the location table in memory, no database backend,
and we do alot of REGISTER/un-REGISTER in our environment,
and maybe that's why this bug was not spotted by the
community before.
Just to clarify, this fix is
in relation with this post:
Please take into
consideration the attached patch provided by the Libon Voice
Team.
Regards,
Dragos Oancea