Hi,<div>I'm using kamailio 1.5.4-notls and I'm experimenting crashes when an UAC sends an INVITE with a content-length greater then the effective body length.</div><div>The error messages written on the logs is:</div>
<div><br></div><div>CRITICAL:core:del_lump: offset exceeds message size (1266 > 1161) aborting...</div><div><br></div><div>and this is the backtrace of the generated core file:</div><div><br></div><div><div>#0 0x00002ad718ab307b in raise () from /lib/libc.so.6</div>
<div>(gdb) bt</div><div>#0 0x00002ad718ab307b in raise () from /lib/libc.so.6</div><div>#1 0x00002ad718ab484e in abort () from /lib/libc.so.6</div><div>#2 0x0000000000418f53 in del_lump (msg=0x66de00, offset=1266, len=12, type=HDR_OTHER_T) at data_lump.c:292</div>
<div>#3 0x00002ad71a8145ba in alter_mediaip (msg=0x66de00, body=<value optimized out>, oldip=0x7fff81fe6700, oldpf=<value optimized out>, newip=0x7fff81fe66e0, newpf=2, preserve=0)</div><div> at nathelper.c:1857</div>
<div>#4 0x00002ad71a821a3a in force_rtp_proxy (msg=0x66de00, str1=<value optimized out>, str2=<value optimized out>, offer=<value optimized out>) at nathelper.c:2871</div><div>#5 0x00002ad71a8238df in rtpproxy_offer1_f (msg=0x66de00, str1=0x65f370 "cof", str2=<value optimized out>) at nathelper.c:2391</div>
<div>#6 0x000000000040cc5a in do_action (a=0x65f400, msg=0x66de00) at action.c:874</div><div>#7 0x000000000040f19f in run_action_list (a=<value optimized out>, msg=0x66de00) at action.c:145</div><div>#8 0x0000000000454155 in eval_expr (e=0x65f4d0, msg=0x66de00, val=0x0) at route.c:1171</div>
<div>#9 0x0000000000453bd7 in eval_expr (e=0x65f518, msg=0x66de00, val=0x0) at route.c:1488</div><div>#10 0x0000000000453b7f in eval_expr (e=0x65f560, msg=0x66de00, val=0x0) at route.c:1493</div><div>#11 0x000000000040c4c9 in do_action (a=0x65ffe8, msg=0x66de00) at action.c:729</div>
<div>#12 0x000000000040f19f in run_action_list (a=<value optimized out>, msg=0x66de00) at action.c:145</div><div>#13 0x000000000040dbc9 in do_action (a=0x660528, msg=0x66de00) at action.c:746</div><div>#14 0x000000000040f19f in run_action_list (a=<value optimized out>, msg=0x66de00) at action.c:145</div>
<div>#15 0x000000000040dbc9 in do_action (a=0x6606c8, msg=0x66de00) at action.c:746</div><div>#16 0x000000000040f19f in run_action_list (a=<value optimized out>, msg=0x66de00) at action.c:145</div><div>#17 0x000000000040dac5 in do_action (a=0x656790, msg=0x66de00) at action.c:120</div>
<div>#18 0x000000000040f19f in run_action_list (a=<value optimized out>, msg=0x66de00) at action.c:145</div><div>#19 0x000000000040dbc9 in do_action (a=0x656860, msg=0x66de00) at action.c:746</div><div>#20 0x000000000040f19f in run_action_list (a=<value optimized out>, msg=0x66de00) at action.c:145</div>
<div>#21 0x000000000040dac5 in do_action (a=0x6560b0, msg=0x66de00) at action.c:120</div><div>#22 0x000000000040f19f in run_action_list (a=<value optimized out>, msg=0x66de00) at action.c:145</div><div>#23 0x000000000040f4f3 in run_top_route (a=0x64b870, msg=0x66de00) at action.c:120</div>
<div>#24 0x0000000000444e90 in receive_msg (</div><div> buf=0x619a20 "INVITE sip:xxxxxxxx@xxxxxxxxxxxx SIP/2.0\r\nVia: SIP/2.0/UDP xxx.xxx.xxx.xxx:xxxx;branch=z9hG4bK-d8754z-24245342621eb55b-1---d8754z-;rport\r\nMax-Forwards: 69\r\nContact: <sip:xxxxxxxx@xxx.xxx.xxx.xxx"..., len=1161, rcv_info=0x7fff81fe86e0) at receive.c:175</div>
<div>#25 0x0000000000479254 in udp_rcv_loop () at udp_server.c:449</div><div>#26 0x0000000000427237 in main (argc=7, argv=0x7fff81fe88e8) at main.c:774</div><div><br></div><div>I couldn't get to reproduce this behavior in my test development (it has newer version of glibc) in which I only get the messages:</div>
<div><br></div><div><div>ERROR:core:anchor_lump: offset exceeds message size (1125 > 714)...</div><div>ERROR:nathelper:force_rtp_proxy: anchor_lump failed</div><div><br></div><div>Looking into nathelper code, extract_body function I found that the body->len value is taken from Content-Length header, so i added the following piece of code:</div>
<div><br></div><div>--- nhelpr_funcs.c.orig 2010-09-02 14:04:09.891649254 +0200</div><div>+++ nhelpr_funcs.c 2010-09-02 14:17:40.183747107 +0200</div><div>@@ -196,6 +196,12 @@</div><div> LM_ERR("message body has length zero\n");</div>
<div> goto error;</div><div> }</div><div>+</div><div>+ if (body->len + body->s > msg->buf + msg->len) {</div><div>+ LM_ERR("content-length exceeds packet-length by %d\n",</div>
<div>+ (body->len + body->s) - (msg->buf + msg->len));</div><div>+ body->len=strlen(body->s);</div><div>+ }</div><div> </div><div> /* no need for parse_headers(msg, EOH), get_body will </div>
<div> * parse everything */ </div><div><br></div><div>This way if the Content-Length header is greater then the effective body length body->len is corrected with the real value. </div><div>This solved for the moment, but I'm not sure if this is a good approach and I still don't understand why in the test platform I cannot reproduce the crash.</div>
<div><br></div><div>Regards,</div><div><br></div><div>Federico Cabiddu</div></div></div>