[sr-dev] [kamailio/kamailio] kamailio crashes on CANCEL due to empty reply_lumps (#872)

Victor Seva notifications at github.com
Wed Nov 30 16:50:31 CET 2016 

```
#0  build_res_buf_from_sip_req (code=1576798744, code at entry=487, text=0x25, new_tag=0x7f186f74d2b0 <tm_tag>, msg=0x7f185dfbf9a0, 
    returned_len=0xb7, bmark=0x8548c03148244489) at msg_translator.c:2395
        lump = 0x0
        received_len = 0
        rport_len = 0
        warning_len = 0
        after_body = 0x0
        totags = 0x0
        __FUNCTION__ = "build_res_buf_from_sip_req"
#1  0x00007f186f4b17b2 in _reply (trans=0x7f185dfbc060, p_msg=0x7f185dfbf9a0, code=487, text=<optimized out>, lock=1) at t_reply.c:712
        len = 31474
        buf = <optimized out>
        dset = <optimized out>
        bm = {to_tag_val = {s = 0x7ffeab147e2c "", len = 0}}
        dset_len = 0
        reason = {s = 0x7f186f535472 "Request canceled", len = 16}
#2  0x00007f186f507e8b in e2e_cancel (cancel_msg=0x7f185dfc0a18, t_cancel=0x25, t_invite=0x7f185dfbc060) at t_fwd.c:1278
        cancel_bm = 0
        reason = 0x7f185dfbc060
        i = 1921036208
        tmcb = {req = 0x6f1ddb, rpl = 0x5e3437 <dns_srv_sip_resolvehost+279>, param = 0x2e, code = -1424720300, flags = 32766, 
          branch = 0, t_rbuf = 0x7f185dfb7b38, dst = 0x7f185dfb7a68, send_buf = {s = 0x7f1872477a18 "\001", len = 69206528}}
        __FUNCTION__ = "e2e_cancel"
#3  0x00007f186f50d2c2 in t_forward_nonack (t=0x7f185dfb7950, p_msg=0x7f187280afb0, proxy=0x0, proto=307) at t_fwd.c:1619
        current_uri = {s = 0x0, len = 1921036208}
        q = 32536
        t_invite = 0x7f185dfbc060
        success_branch = 0
        lock_replies = 1576779872
        dst_uri = {s = 0x0, len = 10482636}
        path = {s = 0x7f186f74d1f0 <tm_cfg> "\b\235\372]\030\177", len = 1869926896}
        instance = {s = 0x7f186f7624d0 <user_rt_t1_timeout_ms> "", len = 1866962556}
        ruid = {s = 0x7ffe00000007 <error: Cannot access memory at address 0x7ffe00000007>, len = 7282139}
        location_ua = {s = 0x6 <error: Cannot access memory at address 0x6>, len = -1424718544}
        si = 0xb65c050904200200
        backup_bflags = 0
        bflags = 0
        __FUNCTION__ = "t_forward_nonack"
#4  0x00007f186f50df6b in t_forward_cancel (p_msg=0x7f187280afb0, proxy=0x0, proto=0, tran=0x7ffeab148240) at t_fwd.c:1816
        t_invite = 0x0
        t = 0xb7
        ret = 1
        dst = {send_sock = 0x7f18702e80b6, to = {s = {sa_family = 6554, sa_data = "_s\030\177\000\000\000\000\000\000\000\000\000"}, 
            sin = {sin_family = 6554, sin_port = 29535, sin_addr = {s_addr = 32536}, sin_zero = "\000\000\000\000\000\000\000"}, 
            sin6 = {sin6_family = 6554, sin6_port = 29535, sin6_flowinfo = 32536, sin6_addr = {__in6_u = {
                  __u6_addr8 = "\000\000\000\000\000\000\000\000(\000\000\000\060\000\000", __u6_addr16 = {0, 0, 0, 0, 40, 0, 48, 0}, 
                  __u6_addr32 = {0, 0, 40, 48}}}, sin6_scope_id = 2870249136}}, id = 32766, proto = -63 '\301', send_flags = {
            f = 177 '\261', blst_imask = 112 'p'}}
        host = {s = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, len = 1}
        __FUNCTION__ = "t_forward_cancel"
#5  0x00007f186f4f117a in t_relay_to (p_msg=0x7f187280afb0, proxy=0x0, proto=0, replicate=0) at t_funcs.c:238
        ret = 1911489832
        t = 0x7f187370b1c8
        dst = {send_sock = 0x7f18735f199a <vfprintf+22490>, to = {s = {sa_family = 6554, 
              sa_data = "_s\030\177\000\000\377\377\377\377\377\377\377\377"}, sin = {sin_family = 6554, sin_port = 29535, sin_addr = {
                s_addr = 32536}, sin_zero = "\377\377\377\377\377\377\377\377"}, sin6 = {sin6_family = 6554, sin6_port = 29535, 
              sin6_flowinfo = 32536, sin6_addr = {__in6_u = {__u6_addr8 = "\377\377\377\377\377\377\377\377űps\030\177\000", 
                  __u6_addr16 = {65535, 65535, 65535, 65535, 45509, 29552, 32536, 0}, __u6_addr32 = {4294967295, 4294967295, 
                    1936765381, 32536}}}, sin6_scope_id = 2870248224}}, id = 32766, proto = 7 '\a', send_flags = {f = 0 '\000', 
            blst_imask = 0 '\000'}}
        host = {s = 0x7ffeab148350 " \210\024\253\376\177", len = 1935612314}
        __FUNCTION__ = "t_relay_to"
#6  0x0000000000446650 in do_action (h=0x7ffeab148960, a=0x7f1871ef0528, msg=0x7f187280afb0) at action.c:1060
        ret = -5
        v = 0
        dst = {send_sock = 0xc8, to = {s = {sa_family = 35200, sa_data = "\244", '\000' <repeats 12 times>}, sin = {
```
```
(gdb) p *msg->reply_lump
$2 = {text = {s = 0x7f185dfbb3c0 "P-Out-Socket: udp:127.0.0.1:5060\r\n", len = 34}, flags = 34, next = 0x7f185dfbb3e8}
(gdb) p *msg->reply_lump->next
$3 = {text = {s = 0x7f185dfbb408 "P-NGCP-Auth-IP: 127.0.2.1\r\n]\030\177", len = 27}, flags = 34, next = 0x7f185dfbb428}
(gdb) p *msg->reply_lump->next->next
$4 = {text = {s = 0x7f185dfbb448 "P-NGCP-Auth-UA: <null>\r\n\200\264\373]\030\177", len = 24}, flags = 34, next = 0x7f185dfbb460}
(gdb) p *msg->reply_lump->next->next->next
$5 = {text = {s = 0x7f185dfbb480 "P-Callee-Uuid: fe3366a8-8b5b-4ec9-81e4-ba5a4f8bd124\r\n", len = 53}, flags = 34, next = 0x0}
```


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/872#issuecomment-263908731
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20161130/61c3725d/attachment.html>

More information about the sr-dev mailing list