zenichev created an issue (kamailio/kamailio#4520)
### Description
Seg.fault while kamailio calls the pua_dialoginfo module's callback:
`run_dlg_callbacks()` -> `refresh_pubruri_avps()` (pua_dialoginfo) ->
`search_first_avp()` -> `search_avp()` -> `match_by_name()` (crash while
searching).
Looks like a typical iterator invalidation while going through the linked list
of session AVPs.
Call scenario:
- INVITE which is branched towards three different locations
- 180 ringing replies coming from each of the call branch (almost at the same
time)
- each 180 ringing is processed by a separate child process
- pua_dialoginfo's callback is in act
pua_dialoginfo configuration:
```
loadmodule "pua_dialoginfo.so"
modparam("pua_dialoginfo", "use_uuid", 1)
modparam("pua_dialoginfo", "send_publish_flag", FLB_PRESENCE)
modparam("pua_dialoginfo", "disable_caller_publish_flag", FLB_PRESENCE_CALLER)
modparam("pua_dialoginfo", "disable_callee_publish_flag", FLB_PRESENCE_CALLEE)
modparam("pua_dialoginfo", "refresh_pubruri_avps_flag", FLB_PRESENCE_REFRESH)
modparam("pua_dialoginfo", "local_identity_dlg_var", "local_identity")
modparam("pua_dialoginfo", "use_pubruri_avps", 1)
modparam("pua_dialoginfo", "pubruri_caller_avp", "$avp(s:puburis_caller)")
modparam("pua_dialoginfo", "pubruri_callee_avp", "$avp(s:puburis_callee)")
modparam("pua_dialoginfo", "pubruri_caller_dlg_var", "pubruri_caller")
modparam("pua_dialoginfo", "pubruri_callee_dlg_var", "pubruri_callee")
```
Part of the BT trace (it's quite big, so I took only the most important part of
it):
```
#0 match_by_name (name=<optimized out>, id=<optimized out>, avp=<optimized
out>) at core/usr_avp.c:515
515 core/usr_avp.c: No such file or directory.
(gdb) set print elements unlimited
(gdb) set print pretty on
(gdb) set print repeats 0
(gdb) set print null-stop off
(gdb) bt full
#0 match_by_name (name=<optimized out>, id=<optimized out>, avp=<optimized
out>) at core/usr_avp.c:515
avp_name = <optimized out>
avp_name = <optimized out>
#1 search_next_avp (s=s@entry=0x7ffe45ddbc90, val=val@entry=0x7ffe45ddbc80) at
core/usr_avp.c:516
matched = <optimized out>
avp = <optimized out>
list = <optimized out>
__func__ = "search_next_avp"
#2 0x000055debd8c6913 in search_avp (ident=..., val=0x7ffe45ddbc80,
state=0x7ffe45ddbc90) at core/usr_avp.c:482
ret = <optimized out>
st = {
flags = 273,
id = 53,
name = {
n = 139704944406125,
s = {
s = 0x7f0f9795ae6d "sca_to)",
len = 6
},
re = 0x7f0f9795ae6d
},
avp = 0x7f0e916fc4d0
}
list = <optimized out>
__func__ = "search_avp"
#3 0x000055debd8c6e10 in search_first_avp (flags=1, name=..., val=<optimized
out>, s=<optimized out>) at core/usr_avp.c:430
id = {
flags = 1,
name = {
n = 139704913431447,
s = {
s = 0x7f0f95bd0b97 "puburis_caller)",
len = 14
},
re = 0x7f0f95bd0b97
},
index = 0
}
#4 0x00007f0e90137314 in ?? () from
/usr/lib/x86_64-linux-gnu/kamailio/modules/pua_dialoginfo.so
No symbol table info available.
#5 0x00007f0e90137970 in refresh_pubruri_avps () from
/usr/lib/x86_64-linux-gnu/kamailio/modules/pua_dialoginfo.so
No symbol table info available.
#6 0x00007f0e901385e6 in ?? () from
/usr/lib/x86_64-linux-gnu/kamailio/modules/pua_dialoginfo.so
No symbol table info available.
#7 0x00007f0f92302b2f in run_dlg_callbacks (type=type@entry=256,
dlg=dlg@entry=0x7f0e91150500, req=req@entry=0x7f0e91a79090,
rpl=rpl@entry=0x7f0f98e2c620, dir=dir@entry=2, dlg_data=dlg_data@entry=0x0)
at ./src/modules/dialog/dlg_cb.c:269
cb = 0x7f0e9172e050
__func__ = "run_dlg_callbacks"
#8 0x00007f0f9232907c in dlg_onreply (t=0x7f0e907edac0, type=1048576,
param=0x7ffe45ddc220) at ./src/modules/dialog/dlg_handlers.c:510
dlg = 0x7f0e91150500
iuid = <optimized out>
new_state = 2
old_state = 2
unref = 0
event = 2
tag = {
s = 0x341 <error: Cannot access memory at address 0x341>,
len = 16
}
req = 0x7f0e91a79090
rpl = 0x7f0f98e2c620
__func__ = "dlg_onreply"
```
F.y.i: the processing starts with `reply_received()` -> `relay_reply()` ->
`run_trans_callbacks_with_buf()` -> `run_trans_callbacks_internal()` ->
`run_dlg_callbacks()` (the rest you see in the copy-paste of the bt trace
above).
### Troubleshooting
Configure the pua_dialoginfo module similarly as mentioned above (modparams).
Call scenario:
- INVITE which gets forked (branched) into three legs
- 180 ringing is coming from each of the call leg
P.S.: hardly reproducible, quite sporadic
### Kamailio version
```
version: kamailio 5.8.6 (x86_64/linux)
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE,
USE_MCAST, NO_SIG_DEBUG, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE,
Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX,
FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE
262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 12.2.0
```
```
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
```
---
P.S.: any workaround you can suggest? Like always setting the
`$avp(s:puburis_caller)` to `$null` when the process begins the kamailio script
execution? (entry route), at least for the requests (so not replies).
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4520
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/[email protected]>_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
