[OpenSIPS-Devel] [opensips] [1.11] Crash on TCP read (#813)

Mon, 29 Feb 2016 04:11:05 -0800 

I found a crashed OpenSIPS process with the following backtrace:

~~~~
(gdb) bt
#0  tcp_read_req (con=con@entry=0xa773e948, 
bytes_read=bytes_read@entry=0xbfb3b8cc) at tcp_read.c:711
#1  0x080e08a2 in handle_io (fm=0x99015c8, idx=idx@entry=-1, 
event_type=event_type@entry=1) at tcp_read.c:1036
#2  0x080e271c in io_wait_loop_epoll (repeat=<optimized out>, h=<optimized 
out>, t=<optimized out>)
    at io_wait.h:867
#3  tcp_receive_loop (unix_sock=72) at tcp_read.c:1144
#4  0x080dc690 in tcp_init_children (chd_rank=chd_rank@entry=0x81e362c, 
startup_done=startup_done@entry=0x0)
    at tcp_main.c:2378
#5  0x0805db02 in main_loop () at main.c:1011
#6  main (argc=11, argv=0xbfb3bbf4) at main.c:1612
~~~~

I inspected the code and found a path which leads to the problem. If the code 
entered [this 
if](https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L704) `req` 
points to freed memory, so 
[this](https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L711) causes 
the crash.

I think we need to jump to `end_req` right after freeing the request, but I'm 
not that familiar with the code to provide a patch.

Something does look a bit strange to me: if `size` was 0 (which is the case), 
then 
[this](https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L678-L695) 
code path was followed, which means `release_tcpconn` was called. But when 
`tcp_read_req` returns (if it does so with an error) [this 
code](https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L1036-L1045) 
will call `release_tcpconn` again.

As a side note, `release_tcpconn` shoudl probably set the `fd` attribute on the 
connection to -1 after closing it 
[here](https://github.com/OpenSIPS/opensips/blob/1.11/tcp_read.c#L451).

Unfortunately I cannot reproduce the issue, it's the first time I've seen it, 
and we've been running 1.11 in production on sip2sip.info for quite a while, 
always with async TCP enabled.

---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/issues/813
_______________________________________________
Devel mailing list
Devel@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/devel

Reply via email to