Bugs item #3182319, was opened at 2011-02-15 09:51
Message generated for change (Comment added) made by denodaeus
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3182319&group_id=232389
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Robert Smith (denodaeus)
Assigned to: Nobody/Anonymous (nobody)
Summary: segfault in codecs.c post 7589 patch
Initial Comment:
It seems like we're still segfaulting in codecs.c, although in a slightly
different place, but still involving codec_delete_except_re:
We're currently seeing some crashing around the same area of code even after
applying the patch fix from trunk (7589 patch):
#0 0x00002b5a5bbfa0f6 in stream_process (msg=0x7a2f38, str1=0x0, str2=0x0,
re=0x7994e8, op=1, desc=3) at codecs.c:524
524 temp =
payload->rtp_enc.s[payload->rtp_enc.len];
(gdb) list
519 match = 0;
520
521 if( description == DESC_REGEXP ||description ==
DESC_REGEXP_COMPLEMENT )
522 {
523 /* try to match a regexp */
524 temp =
payload->rtp_enc.s[payload->rtp_enc.len];
525
payload->rtp_enc.s[payload->rtp_enc.len] = 0;
526 match = regexec( re,
payload->rtp_enc.s, 1, &pmatch, 0) == 0;
527
payload->rtp_enc.s[payload->rtp_enc.len] = temp;
528 }
(gdb) info locals
payload = 0x79d030
lmp = 0x7a6c58
depl = <value optimized out>
match = 8022576
cur = 0x1 <Address 0x1 out of bounds>
buff = 0x7a0e98 "pstn=500"
temp = -88 '\250'
ret = 0
i = <value optimized out>
pmatch = {rm_so = 5, rm_eo = 0}
__FUNCTION__ = "stream_process"
#0 0x00002b5a5bbfa0f6 in stream_process (msg=0x7a2f38, str1=0x0, str2=0x0,
re=0x7994e8, op=1, desc=3) at codecs.c:524
payload = 0x79d030
lmp = 0x7a6c58
depl = <value optimized out>
match = 8022576
cur = 0x1 <Address 0x1 out of bounds>
buff = 0x7a0e98 "pstn=500"
temp = -88 '\250'
ret = 0
i = <value optimized out>
pmatch = {rm_so = 5, rm_eo = 0}
__FUNCTION__ = "stream_process"
#1 do_for_all_streams (msg=0x7a2f38, str1=0x0, str2=0x0, re=0x7994e8, op=1,
desc=3) at codecs.c:408
cur_cell = 0x7a6a30
cur_session = 0x79b7f0
rez = <value optimized out>
__FUNCTION__ = "do_for_all_streams"
#2 0x00002b5a5bbfa785 in codec_delete_except_re (msg=0x0, str1=0x7a6a30 "") at
codecs.c:748
No locals.
#3 0x000000000040e978 in do_action (a=0x799828, msg=0x7a2f38) at action.c:1045
val_s = {s = 0x6a <Address 0x6a out of bounds>, len = 331625791}
aux = {s = 0x521b8f "", len = 5381007}
ret = <value optimized out>
v = <value optimized out>
to = <value optimized out>
p = <value optimized out>
tmp = <value optimized out>
new_uri = <value optimized out>
end = <value optimized out>
crt = <value optimized out>
len = <value optimized out>
(gdb) print payload
$4 = (sdp_payload_attr_t *) 0x79d030
(gdb) print *payload
$5 = {next = 0x79a9e8, payload_num = 1, rtp_payload = {s = 0x7592d8 "8 18
101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 P\r\na=nortpproxy:yes\r\n", len = 1},
rtp_enc = {s = 0x759303 "P\r\na=nortpproxy:yes\r\n", len = -7705347},
rtp_clock = {s = 0x1 <Address 0x1 out of bounds>, len = 7705347}, rtp_params
= {s = 0x0, len = 0}, sendrecv_mode = {s = 0x0, len = 0}, ptime = {s = 0x0, len
= 0}, fmtp_string = {s = 0x0, len = 0}}
(gdb) print *payload->rtp_enc
Structure has no component named operator*.
(gdb) print payload->rtp_enc
$6 = {s = 0x759303 "P\r\na=nortpproxy:yes\r\n", len = -7705347}
(gdb) print payload->rtp_enc.s
$7 = 0x759303 "P\r\na=nortpproxy:yes\r\n"
(gdb) print payload->rtp_enc.s
$8 = 0x759303 "P\r\na=nortpproxy:yes\r\n"
(gdb) print rtp_enc.len
No symbol "rtp_enc" in current context.
(gdb) print payload->rtp_enc
$9 = {s = 0x759303 "P\r\na=nortpproxy:yes\r\n", len = -7705347}
(gdb) print payload->rtp_enc.len
$10 = -7705347
(gdb)
I will comment that part of the SDP is truncated (the a=rtpmap P ends without
MCA and clock), and it looks like the nortpproxy:yes string is appended after
that with a crlf:
(gdb) print val_s.s
$12 = 0x759004 "[email protected]\r\nCSeq: 32621
INVITE\r\nFrom: \"WASHINGTON DC\"
<sip:[email protected]>;tag=3383745851297549218022\r\nTo:
<sip:[email protected]>\r\nVia: SIP/2.0/UDP
4.2.2.3;branch=z9hG4bKf86.d04be483.0\r\nVia: SIP/2.0/UDP
10.2.1.43:5060;branch=z9hG4bK1735452086568519500666701297549218024\r\nMax-Forwards:
68\r\nContact: \"Foo\"
<sip:[email protected]:5060>;transport=udp\r\nContent-Type:
application/sdp\r\nAllow: INVITE, OPTIONS, BYE, CANCEL, ACK, REFER, NOTIFY,
INFO, PRACK\r\nUser-Agent: Foo/6.2.0.30\r\nContent-Length:
207\r\n\r\nv=0\r\no=Foo 1297549218020 1297549218020 IN IP4 10.2.1.43\r\ns=SIP
Media Capabilities\r\nc=IN IP4 4.2.2.1\r\nt=0 0\r\nm=audio 25560 RTP/AVP 0 8 18
101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 P\r\na=nortpproxy:yes\r\n"
----------------------------------------------------------------------
>Comment By: Robert Smith (denodaeus)
Date: 2011-02-15 15:13
Message:
I have a SIPP that can reproduce this 100% of the time, if calling the
codec_delete_except_re for (PCMU|PCMA|telephone-event). Will attach the
file.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3182319&group_id=232389
_______________________________________________
Devel mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
