<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
On 11/25/2010 07:32 PM, dotnetdub wrote:
<blockquote
cite="mid:AANLkTi=SPOHbwuLZw+U0xmTETdL_WRoRs60Z4KiN7mTc@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff">
<div class="im">
<blockquote type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff">Hi Marius,</div>
</blockquote>
<div><br>
</div>
<div>
<div>I hope this is what your after!</div>
</div>
<div><br>
</div>
<div>
<div>(gdb) add-symbol-file /lib/kamailio/modules/topoh.so
0xb7004000+0x00001d30</div>
<div>add symbol table from file "/lib/kamailio/modules/topoh.so"
at</div>
<div><span style="white-space: pre-wrap;"> </span>.text_addr
= 0xb7005d30</div>
<div>(y or n) y</div>
<div>Reading symbols from /lib/kamailio/modules/topoh.so...done.</div>
<div>(gdb) x/s 0xb70070d9</div>
<div>0xb70070d9 <th_skip_msg+9>:<span
style="white-space: pre-wrap;"> </span> <Address 0xb70070d9 out of
bounds></div>
<div>(gdb) info registers <br>
</div>
</div>
<div><br>
</div>
<div> </div>
</div>
</blockquote>
<br>
</div>
Yes I think it is<br>
<br>
Looking at the debug messages I see the CSeq is wrong. <br>
<br>
But :<br>
<br>
int th_skip_msg(sip_msg_t *msg)<br>
{<br>
if((get_cseq(msg)->method_id)&(METHOD_REGISTER|METHOD_PUBLISH))<br>
return 1;<br>
<br>
return 0;<br>
}<br>
<br>
As the cseq is wrong the get_cseq macro probably returns a NULL Pointer
who gets dereferenced (BANG the crash). Any other Ideas ?! <br>
<br>
The patch is trivial ( if(!get_cseq(msg))) parse_cseq(....) ) something
in this line. Daniel, What do you think ?<br>
<br>
Marius<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>Thanks Marius.</div>
<div><br>
</div>
<div>Glad that we were able to find the issue.</div>
</div>
</blockquote>
<br>
Are you able to test a patch if a provide one to you? I wanted to wait
for Daniel's opinion as I have no way of testing it. If you have a dump
of the attack traffic or you can generate more with bad CSEQ (as from
the message log you provided) you can test the patch against your cfg
and see if it still crashes(hope not). In my opinion the crash should
be deterministic. You will find the trivial patch attached. If you can
test it and it works I will push it to upstream (also to 3.0 branch).
Keep in mind that other probles might appear as well during the
processing of the SIP messages. If a core does appear please retry the
steps in the previous mail with the new core and .so offset. <br>
<br>
Apply the patch with the patch utility (copy to the modules/topoh and
run patch < patch) . I await some feedback :)<br>
<br>
Marius<br>
<blockquote
cite="mid:AANLkTi=SPOHbwuLZw+U0xmTETdL_WRoRs60Z4KiN7mTc@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div><br>
</div>
<div>Regards</div>
<div>Brian </div>
</div>
<br>
</blockquote>
<br>
</body>
</html>