On 25 November 2010 17:38, marius zbihlei <marius.zbihlei(a)1and1.ro> wrote:
On 11/25/2010 07:32 PM, dotnetdub wrote:
Hi Marius,
I hope this is what your after!
(gdb) add-symbol-file /lib/kamailio/modules/topoh.so
0xb7004000+0x00001d30
add symbol table from file "/lib/kamailio/modules/topoh.so" at
.text_addr = 0xb7005d30
(y or n) y
Reading symbols from /lib/kamailio/modules/topoh.so...done.
(gdb) x/s 0xb70070d9
0xb70070d9 <th_skip_msg+9>: <Address 0xb70070d9 out of bounds
(gdb) info registers
Yes I think it is
Looking at the debug messages I see the CSeq is wrong.
But :
int th_skip_msg(sip_msg_t *msg)
{
if((get_cseq(msg)->method_id)&(METHOD_REGISTER|METHOD_PUBLISH))
return 1;
return 0;
}
As the cseq is wrong the get_cseq macro probably returns a NULL Pointer
who gets dereferenced (BANG the crash). Any other Ideas ?!
The patch is trivial ( if(!get_cseq(msg))) parse_cseq(....) ) something in
this line. Daniel, What do you think ?
Marius
Thanks Marius.
Glad that we were able to find the issue.
Are you able to test a patch if a provide one to you? I wanted to wait for
Daniel's opinion as I have no way of testing it. If you have a dump of the
attack traffic or you can generate more with bad CSEQ (as from the message
log you provided) you can test the patch against your cfg and see if it
still crashes(hope not). In my opinion the crash should be deterministic.
You will find the trivial patch attached. If you can test it and it works I
will push it to upstream (also to 3.0 branch). Keep in mind that other
probles might appear as well during the processing of the SIP messages. If a
core does appear please retry the steps in the previous mail with the new
core and .so offset.
Apply the patch with the patch utility (copy to the modules/topoh and run
patch < patch) . I await some feedback :)
Marius
Regards
Brian
Hi Marius,
Will apply tomorrow and recompile.. I don't have a dump of the attack
traffic but I'm sure it won't take long . . .
Thanks for your assistance.
Regards
Brian