Hi
We think that we found and fix a bug in the registrar module. The bug is hard
to reproduce, and it crashes our Kamailio from time to time (once at 2-3 weeks
for us) .
In save.c, function update_contacts() there are two places where we free() a
pointer and then we reuse it, line 700 and line 730:
while(ptr){
ptr0 = ptr;
if(ptr!=c)
ul.delete_ucontact(_r, ptr);
ptr=ptr0->next;
}
And then from inside delete_ucontact(_r,ptr) we call mem_delete_ucontact(_r,
_c) which calls
free_ucontact(_c) , which calls shm_free(_c) . _c is actually our ptr.
If another process writes at the location pointed by ptr during the "while"
loop , the current process will crash.
The bug affects 4.0.4, 4.0.5 and maybe older versions.
We keep the location table in memory, no database backend, and we do alot of
REGISTER/un-REGISTER in our environment,
and maybe that's why this bug was not spotted by the community before.
Just to clarify, this fix is in relation with this post:
http://lists.sip-router.org/pipermail/sr-dev/2014-February/022934.html
Please take into consideration the attached patch provided by the Libon Voice
Team.
Regards,
Dragos Oancea
--- save.orig.c 2013-12-20 17:42:46.000000000 +0100
+++ save.c 2014-02-27 12:51:00.000000000 +0100
@@ -696,9 +696,9 @@
while(ptr)
{
ptr0 = ptr;
- if(ptr!=c)
- ul.delete_ucontact(_r, ptr);
ptr=ptr0->next;
+ if(ptr0!=c)
+ ul.delete_ucontact(_r, ptr0);
}
updated=1;
}
@@ -726,9 +726,9 @@
while(ptr)
{
ptr0 = ptr;
- if(ptr!=c)
- ul.delete_ucontact(_r, ptr);
ptr=ptr0->next;
+ if(ptr0!=c)
+ ul.delete_ucontact(_r, ptr0);
}
updated=1;
}
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
