<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
On 11/25/10 6:38 PM, marius zbihlei wrote:
<blockquote cite="mid:4CEE9F07.20405@1and1.ro" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 11/25/2010 07:32 PM, dotnetdub wrote:
<blockquote
cite="mid:AANLkTi=SPOHbwuLZw+U0xmTETdL_WRoRs60Z4KiN7mTc@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="border-left: 1px solid
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left:
1ex;">
<div text="#000000" bgcolor="#ffffff">
<div class="im">
<blockquote type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="border-left:
1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt
0.8ex; padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff">Hi Marius,</div>
</blockquote>
<div><br>
</div>
<div>
<div>I hope this is what your after!</div>
</div>
<div><br>
</div>
<div>
<div>(gdb) add-symbol-file
/lib/kamailio/modules/topoh.so
0xb7004000+0x00001d30</div>
<div>add symbol table from file
"/lib/kamailio/modules/topoh.so"
at</div>
<div><span style="white-space: pre-wrap;"> </span>.text_addr
=
0xb7005d30</div>
<div>(y or n) y</div>
<div>Reading symbols from
/lib/kamailio/modules/topoh.so...done.</div>
<div>(gdb) x/s 0xb70070d9</div>
<div>0xb70070d9 <th_skip_msg+9>:<span
style="white-space: pre-wrap;"> </span>
<Address 0xb70070d9 out of
bounds></div>
<div>(gdb) info registers <br>
</div>
</div>
<div><br>
</div>
<div> </div>
</div>
</blockquote>
<br>
</div>
Yes I think it is<br>
<br>
Looking at the debug messages I see the CSeq is wrong. <br>
<br>
But :<br>
<br>
int th_skip_msg(sip_msg_t *msg)<br>
{<br>
if((get_cseq(msg)->method_id)&(METHOD_REGISTER|METHOD_PUBLISH))<br>
return 1;<br>
<br>
return 0;<br>
}<br>
<br>
As the cseq is wrong the get_cseq macro probably returns a
NULL Pointer
who gets dereferenced (BANG the crash). Any other Ideas ?!
<br>
<br>
The patch is trivial ( if(!get_cseq(msg)))
parse_cseq(....) ) something
in this line. Daniel, What do you think ?<br>
<br>
Marius<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>Thanks Marius.</div>
<div><br>
</div>
<div>Glad that we were able to find the issue.</div>
</div>
</blockquote>
<br>
Are you able to test a patch if a provide one to you? I wanted to
wait
for Daniel's opinion as I have no way of testing it. If you have a
dump
of the attack traffic or you can generate more with bad CSEQ (as
from
the message log you provided) you can test the patch against your
cfg
and see if it still crashes(hope not). In my opinion the crash
should
be deterministic. You will find the trivial patch attached. If you
can
test it and it works I will push it to upstream (also to 3.0
branch).
Keep in mind that other probles might appear as well during the
processing of the SIP messages. If a core does appear please retry
the
steps in the previous mail with the new core and .so offset. <br>
<br>
Apply the patch with the patch utility (copy to the modules/topoh
and
run patch < patch) . I await some feedback :)<br>
</blockquote>
The patch is ok, please go ahead and commit it.<br>
<br>
Even if the cause for this case would be in some other place, the
patch is still good and harmless for proper formatted sip messages.<br>
<br>
Thanks,<br>
Daniel<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
Kamailio (OpenSER) Advanced Training
Jan 24-26, 2011, Irvine, CA, USA
<a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a></pre>
</body>
</html>