Hi,<div>sorry I should have read better previous posts. I tried latest SVN branch and it works.</div><div>My modification (which in fact was inspired by nhelper_funcs.c of release 3.0.3) differs in that if the content-length is greater then the effective body length the latter is used. I recognize that this is not a good approach even if it worked for my customer (which by the way is using Bria 2.2, that sometimes sends incorrect content-length).</div>
<div> </div><div>Thanks,</div><div><br></div><div>Federico<br><br><div class="gmail_quote">2010/9/7 Daniel-Constantin Mierla <span dir="ltr"><<a href="mailto:miconda@gmail.com">miconda@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div text="#000000" bgcolor="#ffffff">
Hello,<br>
<br>
have you tried with latest SVN branch 1.5?<br>
<br>
The issue should have been solved by a commit couple of months ago:<br>
<a href="http://openser.svn.sourceforge.net/viewvc/openser/branches/1.5/modules/nathelper/nhelpr_funcs.c?r1=5884&r2=5995" target="_blank">http://openser.svn.sourceforge.net/viewvc/openser/branches/1.5/modules/nathelper/nhelpr_funcs.c?r1=5884&r2=5995</a><br>
<br>
If does not work with latest SVN, let us know.<br>
<br>
Thanks,<br>
Daniel<div><div></div><div class="h5"><br>
<br>
<br>
On 9/2/10 2:27 PM, federico cabiddu wrote:
</div></div><blockquote type="cite"><div><div></div><div class="h5">Hi,
<div>I'm using kamailio 1.5.4-notls and I'm experimenting crashes
when an UAC sends an INVITE with a content-length greater then
the effective body length.</div>
<div>The error messages written on the logs is:</div>
<div><br>
</div>
<div>CRITICAL:core:del_lump: offset exceeds message size (1266
> 1161) aborting...</div>
<div><br>
</div>
<div>and this is the backtrace of the generated core file:</div>
<div><br>
</div>
<div>
<div>#0 0x00002ad718ab307b in raise () from /lib/libc.so.6</div>
<div>(gdb) bt</div>
<div>#0 0x00002ad718ab307b in raise () from /lib/libc.so.6</div>
<div>#1 0x00002ad718ab484e in abort () from /lib/libc.so.6</div>
<div>#2 0x0000000000418f53 in del_lump (msg=0x66de00,
offset=1266, len=12, type=HDR_OTHER_T) at data_lump.c:292</div>
<div>#3 0x00002ad71a8145ba in alter_mediaip (msg=0x66de00,
body=<value optimized out>, oldip=0x7fff81fe6700,
oldpf=<value optimized out>, newip=0x7fff81fe66e0,
newpf=2, preserve=0)</div>
<div> at nathelper.c:1857</div>
<div>#4 0x00002ad71a821a3a in force_rtp_proxy (msg=0x66de00,
str1=<value optimized out>, str2=<value optimized
out>, offer=<value optimized out>) at
nathelper.c:2871</div>
<div>#5 0x00002ad71a8238df in rtpproxy_offer1_f (msg=0x66de00,
str1=0x65f370 "cof", str2=<value optimized out>) at
nathelper.c:2391</div>
<div>#6 0x000000000040cc5a in do_action (a=0x65f400,
msg=0x66de00) at action.c:874</div>
<div>#7 0x000000000040f19f in run_action_list (a=<value
optimized out>, msg=0x66de00) at action.c:145</div>
<div>#8 0x0000000000454155 in eval_expr (e=0x65f4d0,
msg=0x66de00, val=0x0) at route.c:1171</div>
<div>#9 0x0000000000453bd7 in eval_expr (e=0x65f518,
msg=0x66de00, val=0x0) at route.c:1488</div>
<div>#10 0x0000000000453b7f in eval_expr (e=0x65f560,
msg=0x66de00, val=0x0) at route.c:1493</div>
<div>#11 0x000000000040c4c9 in do_action (a=0x65ffe8,
msg=0x66de00) at action.c:729</div>
<div>#12 0x000000000040f19f in run_action_list (a=<value
optimized out>, msg=0x66de00) at action.c:145</div>
<div>#13 0x000000000040dbc9 in do_action (a=0x660528,
msg=0x66de00) at action.c:746</div>
<div>#14 0x000000000040f19f in run_action_list (a=<value
optimized out>, msg=0x66de00) at action.c:145</div>
<div>#15 0x000000000040dbc9 in do_action (a=0x6606c8,
msg=0x66de00) at action.c:746</div>
<div>#16 0x000000000040f19f in run_action_list (a=<value
optimized out>, msg=0x66de00) at action.c:145</div>
<div>#17 0x000000000040dac5 in do_action (a=0x656790,
msg=0x66de00) at action.c:120</div>
<div>#18 0x000000000040f19f in run_action_list (a=<value
optimized out>, msg=0x66de00) at action.c:145</div>
<div>#19 0x000000000040dbc9 in do_action (a=0x656860,
msg=0x66de00) at action.c:746</div>
<div>#20 0x000000000040f19f in run_action_list (a=<value
optimized out>, msg=0x66de00) at action.c:145</div>
<div>#21 0x000000000040dac5 in do_action (a=0x6560b0,
msg=0x66de00) at action.c:120</div>
<div>#22 0x000000000040f19f in run_action_list (a=<value
optimized out>, msg=0x66de00) at action.c:145</div>
<div>#23 0x000000000040f4f3 in run_top_route (a=0x64b870,
msg=0x66de00) at action.c:120</div>
<div>#24 0x0000000000444e90 in receive_msg (</div>
<div> buf=0x619a20 "INVITE <a>sip:xxxxxxxx@xxxxxxxxxxxx</a>
SIP/2.0\r\nVia: SIP/2.0/UDP
xxx.xxx.xxx.xxx:xxxx;branch=z9hG4bK-d8754z-24245342621eb55b-1---d8754z-;rport\r\nMax-Forwards:
69\r\nContact: <<a>sip:xxxxxxxx@xxx.xxx.xxx.xxx</a>"..., len=1161,
rcv_info=0x7fff81fe86e0) at receive.c:175</div>
<div>#25 0x0000000000479254 in udp_rcv_loop () at
udp_server.c:449</div>
<div>#26 0x0000000000427237 in main (argc=7,
argv=0x7fff81fe88e8) at main.c:774</div>
<div><br>
</div>
<div>I couldn't get to reproduce this behavior in my test
development (it has newer version of glibc) in which I only
get the messages:</div>
<div><br>
</div>
<div>
<div>ERROR:core:anchor_lump: offset exceeds message size (1125
> 714)...</div>
<div>ERROR:nathelper:force_rtp_proxy: anchor_lump failed</div>
<div><br>
</div>
<div>Looking into nathelper code, extract_body function I
found that the body->len value is taken from
Content-Length header, so i added the following piece of
code:</div>
<div><br>
</div>
<div>--- nhelpr_funcs.c.orig 2010-09-02 14:04:09.891649254
+0200</div>
<div>+++ nhelpr_funcs.c 2010-09-02 14:17:40.183747107
+0200</div>
<div>@@ -196,6 +196,12 @@</div>
<div> LM_ERR("message body has length zero\n");</div>
<div> goto error;</div>
<div> }</div>
<div>+</div>
<div>+ if (body->len + body->s > msg->buf +
msg->len) {</div>
<div>+ LM_ERR("content-length exceeds
packet-length by %d\n",</div>
<div>+ (body->len +
body->s) - (msg->buf + msg->len));</div>
<div>+ body->len=strlen(body->s);</div>
<div>+ }</div>
<div> </div>
<div> /* no need for parse_headers(msg, EOH), get_body
will </div>
<div> * parse everything */ </div>
<div><br>
</div>
<div>This way if the Content-Length header is greater then the
effective body length body->len is corrected with the
real value. </div>
<div>This solved for the moment, but I'm not sure if this is a
good approach and I still don't understand why in the test
platform I cannot reproduce the crash.</div>
<div><br>
</div>
<div>Regards,</div>
<div><br>
</div>
<div>Federico Cabiddu</div>
</div>
</div>
</div></div><pre><fieldset></fieldset>
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a href="mailto:sr-users@lists.sip-router.org" target="_blank">sr-users@lists.sip-router.org</a>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Daniel-Constantin Mierla
<a href="http://www.asipto.com" target="_blank">http://www.asipto.com</a></pre>
</div>
</blockquote></div><br></div>