[CRASH] Segfault in b2b_logic/bridging.c:895

[NormB]

OpenSIPS version you are running

version: opensips 3.6.0-dev (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, CC_O0, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: 4d68e8940
main.c compiled on 14:50:08 Jun 19 2024 with cc 12

Crash Core Dump

Backtrace showing that bentity1 is NULL.

#0  0x00007efcf15ec77e in process_bridge_200OK (msg=0x7efd365a3338, extra_headers=0x7efcf35510d8, body=0x7ffc73243860, tuple=0x7efcf3550ee8, hash_index=882, entity=0x7efcf3571640) at bridging.c:895
        __ret__ = 0
        __ret__ = 0
        bentity0 = 0x7efcf3559420
        bentity1 = 0x0
        entity_no = 2
        req_data = {et = B2B_SERVER, b2b_key = 0x7efcf3559430, method = 0x7efcf163ea70 <method_invite>, extra_headers = 0x7efcf35510d8, client_headers = 0x7efcf3559480, body = 0x7ffc73243860, dlginfo = 0x7efcf3559610, maxfwd = 0, no_cb = 0}
        __FUNCTION__ = "process_bridge_200OK"

Describe the traffic that generated the bug

A REFER is being processed and during that process, a 603 is generated by the referred-to system.

A failure_route[] has been armed (and is being executed). Currently, no processing other than logging is performed in the failure_route[].

The REFER logic is similar to this example (https://www.opensips.org/Documentation/Tutorials-B2BUA-3-2):

route[b2b_logic_request] {
    if ($rm != "REFER") {
        # for requests other than REFER, no special actions needs to be done,
        # just pass the request to the peer
        b2b_pass_request();
        exit;
    }

    # end dialog with the referrer
    b2b_send_reply(202, "Accepted");
    b2b_end_dlg_leg();

    # create the client entity corresponding to
    # the user specified in the 'Refer-To' header
    b2b_client_new("referee", $hdr(Refer-To));

    # bridge the referrer's peer with the referee
    b2b_bridge("peer", "referee");
}

The b2b_end_dlg_leg(); appears to be causing bentity1 to be correctly deleted. However, the process_bridge_200OK logic does not perform any validation of either bentity1 or bentity2 prior to using them.

See the code snippet (at the location of the segfault) below:

b2b_logic/bridging.c:895:

        if (shm_str_sync(&bentity1->in_sdp, body) < 0) {
            LM_ERR("Failed to save SDP\n");
            return -1;
        }

To Reproduce

Configure the REFER logic as defined in the above example. Configure a faulure_route[] --- This step might not be required Configure the refer-to system to return a failure (for example 603) Attempt to make a call that flows through the REFER logic.

Relevant System Logs

OS/environment information

• Operating System:
• OpenSIPS installation:
• other relevant information:

Additional context

#0  0x00007efcf15ec77e in process_bridge_200OK (msg=0x7efd365a3338, extra_headers=0x7efcf35510d8, body=0x7ffc73243860, tuple=0x7efcf3550ee8, hash_index=882, entity=0x7efcf3571640) at bridging.c:895
        __ret__ = 0
        __ret__ = 0
        bentity0 = 0x7efcf3559420
        bentity1 = 0x0
        entity_no = 2
        req_data = {et = B2B_SERVER, b2b_key = 0x7efcf3559430, method = 0x7efcf163ea70 <method_invite>, extra_headers = 0x7efcf35510d8, client_headers = 0x7efcf3559480, body = 0x7ffc73243860, dlginfo = 0x7efcf3559610, maxfwd = 0, no_cb = 0}
        __FUNCTION__ = "process_bridge_200OK"
#1  0x00007efcf1601676 in _b2b_handle_reply (msg=0x7efd365a3338, tuple=0x7efcf3550ee8, entity=0x7efcf3571640, entity_head=0x7efcf3550f30) at logic.c:969
        method = {s = 0x556612e54ecd <buf+301> "INVITE\r\nContact: <sip:1000@100.127.6.13:5060;did=2e6.72a4c594>\r\nContent-Type: application/sdp\r\nAllow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDAT"...,
          len = 6}
        peer = 0x0
        e = 0x556612b0ebe5 <dp_time+42>
        ent = 0x556612d246e0 <ctime_buf>
        statuscode = 200
        ret = 16
        method_value = 1
        cbf = 0x0
        ekey = {s = 0x0, len = 0}
        cb_params = {param = 0x7ffc73242db0, stat = 0x3000000030, msg = 0x7ffc73242e38, entity = 1931750752, key = 0x3000000030}
        rpl_data = {et = (unknown: 0x73242d28), b2b_key = 0x7ffc73242d7c, method = -1289132800, code = 32509, text = 0x556612c67868, body = 0x556612c67876, extra_headers = 0x0, dlginfo = 0x0}
        req_data = {et = (unknown: 0x80), b2b_key = 0x556612a4b600 <syslog_dprint>, method = 0x1, extra_headers = 0x556612c67868, client_headers = 0x7ffc73242e10, body = 0x556612a4c647 <dprint+460>, dlginfo = 0x556612c67868, maxfwd = 314996729, no_cb = 21862}
        dlginfo = {callid = {s = 0x7ffc73242cc0 "\020.$s\374\177", len = 312788085}, fromtag = {s = 0x7efdb32db020 <_rtld_global> "\340\302-\263\375~", len = 314996854}, totag = {s = 0x0, len = 0}}
        do_unlock = 1
        method_ack = {s = 0x7efcf16288d4 "ACK", len = 3}
        __FUNCTION__ = "_b2b_handle_reply"
#2  0x00007efcf1608547 in b2b_handle_reply (msg=0x7efd365a3338) at logic.c:1899
        __FUNCTION__ = "b2b_handle_reply"
#3  0x0000556612a23c73 in do_action (a=0x7efd3313dfe8, msg=0x7efd365a3338) at action.c:1056
        ret = 0
        v = 32509
        i = 313245245
        len = 32764
        cmatch = 1931751648
        aitem = 0x7efdb32db020 <_rtld_global>
        adefault = 0x800
        spec = 0x7ffc73243110
        val = {rs = {s = 0x7efd365a5508 "\260", len = 856420368}, ri = 911889672, flags = 32509}
        start = {tv_sec = 0, tv_usec = 139625948246032}
        end_time = 32509
        cmd = 0x7efcf163cbd0 <cmds+720>
        acmd = 0x1
        cmdp = {0x7ffc73243060, 0x7efd330f3738, 0x811f2efd44e, 0x7efd330f3738, 0x87a73243040, 0x556612c4ca00 <__FUNCTION__.3>, 0x556612c48300, 0x8}
        tmp_vals = {{rs = {s = 0x7ffc73242f57 "", len = 911897232}, ri = 314886656, flags = 21862}, {rs = {s = 0x556612c48300 "route.c", len = 8}, ri = 856420368, flags = 32509}, {rs = {s = 0x81100000001 <error: Cannot access memory at address 0x81100000001>,
              len = 911890080}, ri = 1, flags = 0}, {rs = {s = 0x7efd3313de90 "\035", len = 1}, ri = 314716921, flags = 21862}, {rs = {s = 0x800 <error: Cannot access memory at address 0x800>, len = -1288851424}, ri = 1931751536, flags = 32764}, {rs = {
              s = 0x556612b3993c <qm_realloc_dbg+1964> "\3510\030", len = 1931751680}, ri = 0, flags = -110939344}, {rs = {s = 0x7ffc732430b0 "\3400$s\374\177", len = -1289834745}, ri = 1931751392, flags = 32764}, {rs = {
              s = 0x556612b3680b <qm_insert_free+59> "\005\363\a", len = 911889944}, ri = 856420368, flags = 32509}}
        route_p = 0x7cb199f8
        sval = {s = 0x7efd365a72f0 "H", len = 856420368}
        __FUNCTION__ = "do_action"
#4  0x0000556612a1fb22 in run_action_list (a=0x7efd3313de90, msg=0x7efd365a3338) at action.c:194
        ret = 1
        t = 0x7efd3313dfe8
#5  0x0000556612a1f922 in run_actions (a=0x7efd3313de90, msg=0x7efd365a3338) at action.c:138
        ret = 973
        _ = 32764
        ret_lvl = 0
        top_route = {s = 0x0, len = 911881016}
        __FUNCTION__ = "run_actions"
#6  0x0000556612a1fdb4 in run_top_route (sr=..., msg=0x7efd365a3338) at action.c:254
        recursing = 1
        bk_action_flags = 0
        route_stack_start_bkp = -1
        route_stack_size_bkp = -245106008
        ret = -245387091
        ctx = 0x0
        __FUNCTION__ = "run_top_route"
#7  0x00007efcf1604b3a in b2b_logic_notify_reply (src=1, msg=0x7efd365a3338, key=0x7efcf355bff8, body=0x7ffc73243860, extra_headers=0x7ffc73243850, b2bl_key=0x7ffc73244640, hash_index=882, local_index=0, flags=0) at logic.c:1330
        tuple = 0x7efcf3550ee8
        entity = 0x7efcf3571640
        entity_head = 0x7efcf3550f30
        avp_val = {n = 0, s = {s = 0x0, len = 317018153}}
        locked = 0
        routeid = 9

[NormB]

Possibly related to this: https://github.com/OpenSIPS/opensips/issues/3385

[github-actions[bot]]

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

[devoxy1]

Up

[github-actions[bot]]

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

[devoxy1]

Up

[andingv]

Hi, have you tried with latest version having that fix: https://github.com/OpenSIPS/opensips/commit/c4032f94f3993d1b62a0483eaae3ac0bd6c7c358 ? I haven't analyzed your crash but it looks like this commit may resolve corruption around some race conditions

[github-actions[bot]]

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

[devoxy1]

up