[sr-dev] [kamailio] Bad usage of presence, xcap server and pidf-manipulation makes Kamailio crash (#441)

foucse Mon, 14 Dec 2015 02:41:26 -0800

Hi everyone,

```
version: kamailio 440-dev7 (i386/linux) c73b9c-dirty
flags: STATS: Off, EXTRA_DEBUG, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, 
USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, 
PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, 
FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, 
USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, 
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select
id: c73b9c -dirty
compiled on 10:17:41 Dec 14 2015 with gcc 493
```


A call of "pres_refresh_watchers" on a malformed (empty) pidf document makes 
Kamailio crash Steps to reproduce:

1 Send a PUT of an empty PIDF document on 
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index

2 Then try to process it with pres_refresh_watchers("$var(uri)", "presence", 2, 
"$xcapuri(u=>uri_adoc)", "$xcapuri(u=>file)")

3 Kamailio crashes with the following messages in logs:

```
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: request [HTTP/11] PUT 
=> /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Accessing XCAP root
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Parsed XCAP URI : 
{data : /xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, uri : 
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, auid : 
pidf-manipulation, root : /xcap-root/, type : 16, xuid : sip:alice@exampleorg, 
file : index, node : <null>, target : <null>, domain : 
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index, uri_adoc : 
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index}
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: Validating user URI
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: User URI is valid
Dec 14 11:10:41 kamailio-0[9460]: INFO: <script>: XHTTP: PUT 
sip:alice@exampleorg
Dec 14 11:10:41 kamailio-0[9460]: ERROR: xcap_server [xcap_serverc:574]: 
w_xcaps_put(): invalid body parameter
Dec 14 11:10:41 kamailio-0[9460]: ERROR: presence [presentityc:844]: 
update_presentity(): No E_Tag match index
Dec 14 11:10:41 kamailio-0[9365]: ALERT: <core> [mainc:738]: handle_sigs(): 
child process 9460 exited by a signal 11
Dec 14 11:10:41 kamailio-0[9365]: ALERT: <core> [mainc:741]: handle_sigs(): 
core was generated
```

We got an error with "invalid body parameter" which is good but this wont 
prevent Kamailio from continuing and crashing

Here is a config code snippet:

```
[]
xcaps_put("$var(uri)", "$hu", "$rb");
pres_refresh_watchers("$var(uri)", "presence", 2, "$xcapuri(u=>uri_adoc)", 
"$xcapuri(u=>file)");
[]
```

Maybe "xcaps_put" return value maybe used to prevent such issues But my opinion 
is that it should not crash

Here is the stack trace:

```
Program terminated with signal SIGSEGV, Segmentation fault
#0  0xb1ab8a4d in update_hard_presentity (pres_uri=0xbffd5710, 
event=0xb2623ae8, file_uri=0xbffd5720, filename=0xbffd5728) at publishc:592
592                     if(pidf_doc->s)
(gdb) bt
#0  0xb1ab8a4d in update_hard_presentity (pres_uri=0xbffd5710, 
event=0xb2623ae8, file_uri=0xbffd5720, filename=0xbffd5728) at publishc:592
#1  0xb1a8833b in pres_refresh_watchers (pres=0xbffd5710, event=0xbffd5718, 
type=2, file_uri=0xbffd5720, filename=0xbffd5728) at presencec:691
#2  0xb1a96ded in w_pres_refresh_watchers5 (msg=0xbffd6a58, puri=0xb6e15a78 
"\260\274", <incomplete sequence \341\266>, pevent=0xb6e15aec "\344\225\341\266 
",
    ptype=0xb6e15b2c "x\220\341\266\001", furi=0xb6e730dc "", fname=0xb6e73150 
<incomplete sequence \341\266>) at presencec:1722
#3  0x08062367 in do_action (h=0xbffd69b0, a=0xb6e1a2c4, msg=0xbffd6a58) at 
actionc:1087
#4  0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6e17b34, msg=0xbffd6a58) at 
actionc:1549
#5  0x0806a717 in do_action (h=0xbffd69b0, a=0xb6e2c64c, msg=0xbffd6a58) at 
actionc:1301
#6  0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6e2c64c, msg=0xbffd6a58) at 
actionc:1549
#7  0x0806a717 in do_action (h=0xbffd69b0, a=0xb6e55490, msg=0xbffd6a58) at 
actionc:1301
#8  0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6df39e0, msg=0xbffd6a58) at 
actionc:1549
#9  0x08062021 in do_action (h=0xbffd69b0, a=0xb6e5566c, msg=0xbffd6a58) at 
actionc:1045
#10 0x0806d2c6 in run_actions (h=0xbffd69b0, a=0xb6ded644, msg=0xbffd6a58) at 
actionc:1549
#11 0xb1da33a5 in xhttp_process_request (orig_msg=0xb6e87774,
    new_buf=0xb6e87d40 "PUT 
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index HTTP/11\r\nVia: 
SIP/20/TCP 1921681501:40618\r\nHost: xcapexampleorg:5050\r\nContent-Length: 
0\r\nUser-Agent: p", new_len=331) at xhttp_modc:282
#12 0xb1da42af in xhttp_handler (msg=0xb6e87774) at xhttp_modc:357
#13 0x081127ab in nonsip_msg_run_hooks (msg=0xb6e87774) at nonsip_hooksc:111
#14 0x081368b1 in receive_msg (
    buf=0x9cdf838 "PUT 
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index HTTP/11\r\nHost: 
xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: python-requests/270 
CPython/276 Lin", len=293, rcv_info=0xb26398ac) at receivec:145
#15 0x08208f85 in receive_tcp_msg (
    tcpbuf=0xb2639a68 "PUT 
/xcap-root/pidf-manipulation/users/sip:alice@exampleorg/index HTTP/11\r\nHost: 
xcapexampleorg:5050\r\nContent-Length: 0\r\nUser-Agent: python-requests/270 
CPython/276 Lin", len=293, rcv_info=0xb26398ac, con=0xb2639898) at 
tcp_readc:1254
#16 0x0820bb37 in tcp_read_req (con=0xb2639898, bytes_read=0xbffd7208, 
read_flags=0xbffd720c) at tcp_readc:1410
#17 0x0820e346 in handle_io (fm=0xb6e788a4, events=1, idx=-1) at tcp_readc:1584
#18 0x082016c2 in io_wait_loop_epoll (h=0x8411480 <io_w>, t=2, repeat=0) at 
io_waith:1061
#19 0x0820fd0a in tcp_receive_loop (unix_sock=37) at tcp_readc:1754
#20 0x081f8fc8 in tcp_init_children () at tcp_mainc:4788
#21 0x080df306 in main_loop () at mainc:1679
#22 0x080e4ca1 in main (argc=17, argv=0xbffd7734) at mainc:2597
```

Tell me if you need more information ? Maybe the full stack

I think the error is here (presence/publishc:590-595) :

```
        if(pidf_doc)
        {
                if(pidf_doc->s)
                        pkg_free(pidf_doc->s);
                pkg_free(pidf_doc);
        }
```

Maybe more validation should be done on "pidf_doc" before trying to access 
"pidf_doc->s" But I haven't investigated the issue more than that


---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/441

_______________________________________________
sr-dev mailing list
[email protected]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

[sr-dev] [kamailio] Bad usage of presence, xcap server and pidf-manipulation makes Kamailio crash (#441)

Reply via email to