[sr-dev] [kamailio/kamailio] segfault due to NULL transaction uac in final_response_handler (Issue #4347)

Stefan Mititelu via sr-dev Tue, 05 Aug 2025 01:28:37 -0700

stefan-mititelu-idt created an issue (kamailio/kamailio#4347)

<!--
Kamailio Project uses GitHub Issues only for bugs in the code or feature 
requests. Please use this template only for bug reports.


If you have questions about using Kamailio or related to its configuration 
file, ask on sr-users mailing list:

  * 
https://lists.kamailio.org/mailman3/postorius/lists/sr-users.lists.kamailio.org/

If you have questions about developing extensions to Kamailio or its existing C 
code, ask on sr-dev mailing list:

  * 
https://lists.kamailio.org/mailman3/postorius/lists/sr-dev.lists.kamailio.org/

Please try to fill this template as much as possible for any issue. It helps 
the developers to troubleshoot the issue.

Note that an issue report may be closed automatically after about 2 months
if there is no interest from developers or community users on pursuing it, being
considered expired. In such case, it can be reopened by writing a comment that 
includes
the token `/notexpired`. About two weeks before considered expired, the issue is
marked with the label `stale`, trying to notify the submitter and everyone else
that might be interested in it. To remove the label `stale`, write a comment 
that
includes the token `/notstale`. Also, any comment postpone the `expire` 
timeline,
being considered that there is interest in pursuing the issue.

If there is no content to be filled in a section, the entire section can be 
removed.

You can delete the comments from the template sections when filling.

You can delete next line and everything above before submitting (it is a 
comment).
-->

### Description
Crash due to NULL transaction uac.
<!--
Explain what you did, what you expected to happen, and what actually happened.
-->

### Troubleshooting

#### Reproduction
Not easily reproducible.
<!--
If the issue can be reproduced, describe how it can be done.
-->

#### Debugging Data

<!--
If you got a core dump, use gdb to extract troubleshooting data - full 
backtrace,
local variables and the list of the code at the issue location.

  gdb /path/to/kamailio /path/to/corefile
  bt full
  info locals
  list

If you are familiar with gdb, feel free to attach more of what you consider to
be relevant.
-->

```
(gdb) bt full
#0  0x00007f275ff3e0ee in final_response_handler (t=0x7f26fdfa4100, 
r_buf=0x7f26fdfa43e0) at timer.c:425
        branch_ret = <optimized out>
        backup_xd = {uri_avps_from = 0x7f26ebbc8b50, uri_avps_to = 0x686beb5f, 
user_avps_from = 0x3fff, user_avps_to = 0x3fff, domain_avps_from = 
0x7f26ea2cbb70, 
          domain_avps_to = 0x7f275ffccfba <ht_timer+282>, xavps_list = 0x0, 
xavus_list = 0x1, xavis_list = 0x5639abb1792f}
        silent = 0
        prev_branch = <optimized out>
        now = <optimized out>
        silent = <optimized out>
        branch_ret = <optimized out>
        prev_branch = <optimized out>
        now = <optimized out>
        backup_xd = {uri_avps_from = <optimized out>, uri_avps_to = <optimized 
out>, user_avps_from = <optimized out>, user_avps_to = <optimized out>, 
          domain_avps_from = <optimized out>, domain_avps_to = <optimized out>, 
xavps_list = <optimized out>, xavus_list = <optimized out>, xavis_list = 
<optimized out>}
        __func__ = "final_response_handler"
        __llevel = <optimized out>
        __kld = {v_facility = <optimized out>, v_level = <optimized out>, 
v_lname = <optimized out>, v_fname = <optimized out>, v_fline = <optimized 
out>, v_mname = <optimized out>, 
          v_func = <optimized out>, v_locinfo = <optimized out>, v_pid = 
<optimized out>, v_pidx = <optimized out>}
#1  retr_buf_handler (ticks=<optimized out>, tl=tl@entry=0x7f26fdfa4400, 
p=<optimized out>) at timer.c:526
        rbuf = 0x7f26fdfa43e0
        fr_remainder = <optimized out>
        retr_remainder = <optimized out>
        retr_interval = <optimized out>
        new_retr_interval_ms = <optimized out>
        crt_retr_interval_ms = <optimized out>
        t = 0x7f26fdfa4100
        disabled = <optimized out>
        __func__ = "retr_buf_handler"
#2  0x00005639ab98e598 in slow_timer_main () at core/timer.c:1103
        n = <optimized out>
        ret = <optimized out>
        tl = 0x7f26fdfa4400
        i = <optimized out>
        __func__ = "slow_timer_main"
#3  0x00005639ab761424 in main_loop () at main.c:1916
        i = <optimized out>
        pid = <optimized out>
        si = 0x0
        si_desc = "udp receiver child=31 
sock=x.x.x.x:5099\000\000\000\000\000\310\326\345\307\377\177\000\000\261U\221\253\071V",
 '\000' <repeats 18 times>, 
"\002\000\000\000\000\000\000\000^\031Wh'\177\000\000\002\000\000\000\000\000\000\000\000\303G?#\026\372\"Thu
 Jul \003\000\000\000\000\000\000"
        nrprocs = <optimized out>
        woneinit = 1
        __func__ = "main_loop"
        error = <optimized out>
#4  0x00005639ab755ff2 in main (argc=<optimized out>, argv=<optimized out>) at 
main.c:3257
        cfg_stream = <optimized out>
        c = <optimized out>
        r = <optimized out>
        tmp = 0x7fffc7e5ee85 ""
--Type <RET> for more, q to quit, c to continue without paging--
        tmp_len = 0
        port = 5060
        proto = 0
        aproto = 0
        ahost = 0x0
        aport = 0
        options = 0x5639abaddd30 
":f:cm:M:dVIhEeb:B:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 1951581600
        rfd = <optimized out>
        debug_save = <optimized out>
        debug_flag = <optimized out>
        dont_fork_cnt = <optimized out>
        n_lst = <optimized out>
        p = <optimized out>
        st = {st_dev = 22, st_ino = 868, st_nlink = 2, st_mode = 16888, st_uid 
= 109, st_gid = 115, __pad0 = 0, st_rdev = 0, st_size = 40, st_blksize = 4096, 
st_blocks = 0, 
          st_atim = {tv_sec = 1751526583, tv_nsec = 9910026}, st_mtim = {tv_sec 
= 1751526582, tv_nsec = 829908667}, st_ctim = {tv_sec = 1751526583, tv_nsec = 
953917156}, 
          __glibc_reserved = {0, 0, 0}}
        l1 = <optimized out>
        tbuf = 
"\000\000\000\000\000\000\000\000\030b\376\307\377\177\000\000\000\000\000\000 
", '\000' <repeats 27 times>, 
"\001\000\000\000\000\000\000\000\366u\256\003\001", '\000' <repeats 67 times>, 
"\060\367lh'\177\000\000\004\000\000\024\000\000\000\000@\301mh'\177", '\000' 
<repeats 138 times>, 
"\020\000\000\000\000\000\000\000\000\325\345\307\377\177\000\000\020\000\000\000\377\177\000\000\020\325\345\307\377\177\000\000\330\324\345\307\377\177\000\000x1\210h'\177\000\000\300\t\000\000\300\t\000\000x1\210h'\177\000\000\300\t\000\000\300\t\000\000L&\207h'\177\000\000\300\t\000\000\300\t\000\000L&\207h'\177\000\000\300\t\000\000\300\t\000\000\300\t\000\000\300\t\000\000\377\377\377\377\000\000\000\000\020\377\204h'\177\000\000H\000\000\000\000\000\000\000\312\334mh'\177\000\000`
 
\210hd\000\000\000\000\303G?#\026\372\"\377\377\377\377\000\000\000\000j\373lh'\177\000\000\000\000\000\000\000\000\000\000@\000\000\000\000\000\000\000\000\000\200\000\000\000\000\000\377\377\377\377\377\377\377\377\377\265\360\000\000\000\000\000\302\000\000\000\000\000\000"
        option_index = 12
        long_options = {{name = 0x5639abadc333 "help", has_arg = 0, flag = 0x0, 
val = 104}, {name = 0x5639abae5a8e "version", has_arg = 0, flag = 0x0, val = 
118}, {
            name = 0x5639abaf58d1 "alias", has_arg = 1, flag = 0x0, val = 
1024}, {name = 0x5639abadc338 "subst", has_arg = 1, flag = 0x0, val = 1025}, {
            name = 0x5639abadc33e "substdef", has_arg = 1, flag = 0x0, val = 
1026}, {name = 0x5639abadc347 "substdefs", has_arg = 1, flag = 0x0, val = 
1027}, {
            name = 0x5639abadc351 "server-id", has_arg = 1, flag = 0x0, val = 
1028}, {name = 0x5639abadc35b "loadmodule", has_arg = 1, flag = 0x0, val = 
1029}, {
            name = 0x5639abadc366 "modparam", has_arg = 1, flag = 0x0, val = 
1030}, {name = 0x5639abadc36f "log-engine", has_arg = 1, flag = 0x0, val = 
1031}, {
            name = 0x5639abae5bab "debug", has_arg = 1, flag = 0x0, val = 
1032}, {name = 0x5639abadc37a "cfg-print", has_arg = 0, flag = 0x0, val = 
1033}, {
            name = 0x5639abadc384 "atexit", has_arg = 1, flag = 0x0, val = 
1034}, {name = 0x5639abadc38b "all-errors", has_arg = 0, flag = 0x0, val = 
1035}, {name = 0x0, has_arg = 0, 
            flag = 0x0, val = 0}}
        __func__ = "main"

```

Some more debugging data:
```
(gdb) frame 0
#0  0x00007f275ff3e0ee in final_response_handler (t=0x7f26fdfa4100, 
r_buf=0x7f26fdfa43e0) at timer.c:425
425     timer.c: No such file or directory.
(gdb) p *t
$1 = {next_c = 0x0, prev_c = 0x0, hash_index = 0, label = 0, flags = 0, 
nr_of_outgoings = 0, fcount = 0, ref_count = {val = 0}, from_hdr = {s = 0x0, 
len = 0}, callid_hdr = {s = 0x0, 
    len = 0}, cseq_hdr_n = {s = 0x0, len = 0}, to_hdr = {s = 0x0, len = 0}, 
callid_val = {s = 0x0, len = 0}, cseq_num = {s = 0x0, len = 0}, cseq_met = {s = 
0x0, len = 0}, method = {
    s = 0x0, len = 0}, tmcb_hl = {first = 0x0, reg_types = 0}, wait_timer = 
{next = 0x0, prev = 0x0, expire = 0, initial_timeout = 0, data = 0x0, f = 0x0, 
flags = 0, slow_idx = 0}, 
  wait_start = 0, uas = {request = 0x0, end_request = 0x0, response = {rbtype = 
0, flags = 0, t_active = 0, branch = 0, buffer_len = 0, buffer = 0x0, my_T = 
0x0, timer = {next = 0x0, 
        prev = 0x0, expire = 0, initial_timeout = 0, data = 0x0, f = 0x0, flags 
= 0, slow_idx = 0}, dst = {send_sock = 0x0, to = {s = {sa_family = 0, 
            sa_data = '\000' <repeats 13 times>}, sin = {sin_family = 0, 
sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = 
"\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, 
            sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = 
{__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 
0}, __u6_addr32 = {0, 0, 0, 0}}}, 
            sin6_scope_id = 0}, sas = {ss_family = 0, __ss_padding = '\000' 
<repeats 117 times>, __ss_align = 0}}, id = 0, send_flags = {f = 0, blst_imask 
= 0}, proto = 0 '\000', 
        proto_pad0 = 0 '\000', proto_pad1 = 0}, retr_expire = 0, fr_expire = 
0}, local_totag = {s = 0x0, len = 0}, cancel_reas = 0x0, status = 0}, uac = 
0x0, async_backup = {
    backup_route = 0, backup_branch = 0, blind_uac = 0, ruri_new = 0}, 
fwded_totags = 0x0, uri_avps_from = 0x0, uri_avps_to = 0x0, user_avps_from = 
0x0, user_avps_to = 0x0, 
  domain_avps_from = 0x0, domain_avps_to = 0x0, xavps_list = 0x0, xavus_list = 
0x0, xavis_list = 0x0, reply_mutex = {val = 1}, reply_locker_pid = {val = 
3247}, 
  reply_rec_lock_level = 0, fr_timeout = 0, fr_inv_timeout = 0, 
rt_t1_timeout_ms = 0, rt_t2_timeout_ms = 0, end_of_life = 0, 
relayed_reply_branch = 0, on_failure = 0, 
  on_branch_failure = 0, on_reply = 0, on_branch = 0, on_branch_delayed = 0, 
md5 = 0x7f26fdfa43ac ""}
(gdb) p t->uac
$2 = (struct ua_client *) 0x0
(gdb) p t->uas
$3 = {request = 0x0, end_request = 0x0, response = {rbtype = 0, flags = 0, 
t_active = 0, branch = 0, buffer_len = 0, buffer = 0x0, my_T = 0x0, timer = 
{next = 0x0, prev = 0x0, 
      expire = 0, initial_timeout = 0, data = 0x0, f = 0x0, flags = 0, slow_idx 
= 0}, dst = {send_sock = 0x0, to = {s = {sa_family = 0, sa_data = '\000' 
<repeats 13 times>}, sin = {
          sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = 
"\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0, 
sin6_flowinfo = 0, sin6_addr = {
            __in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = 
{0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}, sas 
= {ss_family = 0, 
          __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}}, id = 0, 
send_flags = {f = 0, blst_imask = 0}, proto = 0 '\000', proto_pad0 = 0 '\000', 
proto_pad1 = 0}, 
    retr_expire = 0, fr_expire = 0}, local_totag = {s = 0x0, len = 0}, 
cancel_reas = 0x0, status = 0}
(gdb) p *ticks
$10 = 916663044
```
```
(gdb) frame 1
#1  retr_buf_handler (ticks=<optimized out>, tl=tl@entry=0x7f26fdfa4400, 
p=<optimized out>) at timer.c:526
526     in timer.c
(gdb) p *(struct retr_buf *)((char *)(tl)-((size_t)((char *)&((struct 
retr_buf*)(0))->timer - (char *)0)))
$6 = {rbtype = 0, flags = 20, t_active = 0, branch = 0, buffer_len = 0, buffer 
= 0x0, my_T = 0x7f26fdfa4100, timer = {next = 0x0, prev = 0x0, expire = 
916663043, 
    initial_timeout = 80, data = 0xfffffffe, f = 0x7f275ff3de30 
<retr_buf_handler>, flags = 768, slow_idx = 21546}, dst = {send_sock = 0x0, to 
= {s = {sa_family = 0, 
        sa_data = '\000' <repeats 13 times>}, sin = {sin_family = 0, sin_port = 
0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = 
{sin6_family = 0, 
        sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = 
'\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 
= {0, 0, 0, 0}}}, 
        sin6_scope_id = 0}, sas = {ss_family = 0, __ss_padding = '\000' 
<repeats 117 times>, __ss_align = 0}}, id = 0, send_flags = {f = 0, blst_imask 
= 0}, proto = 0 '\000', 
    proto_pad0 = 0 '\000', proto_pad1 = 0}, retr_expire = 916662962, fr_expire 
= 916663043}
```
#### Log Messages

<!--
Check the syslog file and if there are relevant log messages printed by 
Kamailio, add them next, or attach to issue, or provide a link to download them 
(e.g., to a pastebin site).
-->

```
Jul  7 15:44:41 ip-x-x-x-x systemd-coredump[743101]: Process 3247 (kamailio) of 
user 109 dumped core.#012#012Stack trace of thread 3247:#012#0  
0x00007f275ff3e0ee final_response_handler (tm.so + 0xb80ee)#012#1  
0x00005639ab98e598 slow_timer_main (kamailio + 0x267598)#012#2  
0x00005639ab761424 main_loop (kamailio + 0x3a424)#012#3  0x00005639ab755ff2 
main (kamailio + 0x2eff2)#012#4  0x00007f2768518d7a __libc_start_main 
(libc.so.6 + 0x23d7a)#012#5  0x00005639ab756b4a _start (kamailio + 0x2fb4a)
Jul  7 15:44:36 ip-x-x-x-x kernel: [376540.642138] kamailio[3247]: segfault at 
260 ip 00007f275ff3e0ee sp 00007fffc7e5cef0 error 4 in tm.so[7f275fe94000+d8000]
```

#### SIP Traffic

<!--
If the issue is exposed by processing specific SIP messages, grab them with 
ngrep or save in a pcap file, then add them next, or attach to issue, or 
provide a link to download them (e.g., to a pastebin site).
-->

```
(paste your sip traffic here)
```

### Possible Solutions
Add a NULL check for transaction uac in tm final_response_handler().
<!--
If you found a solution or workaround for the issue, describe it. Ideally, 
provide a pull request with a fix.
-->

### Additional Information

  * **Kamailio Version** - output of `kamailio -v`

```
5.8.5
```

* **Operating System**:

<!--
Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 
16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...;
Kernel details (output of `lsb_release -a` and `uname -a`)
-->

```
Debian 11
```


-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4347
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/4...@github.com>

_______________________________________________
Kamailio - Development Mailing List -- sr-dev@lists.kamailio.org
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!

[sr-dev] [kamailio/kamailio] segfault due to NULL transaction uac in final_response_handler (Issue #4347)

Reply via email to