search

OpenSIPS / opensips

OpenSIPS is a GPL implementation of a multi-functionality SIP Server that targets to deliver a high-level technical solution (performance, security and quality) to be used in professional SIP server platforms.
https://opensips.org
Other
1.28k stars 581 forks source link

[CRASH] Accounting ctx free in dlg_timer_remove_from_db destroy_dlg context #3499

Open vladpaiu opened 1 month ago

vladpaiu commented 1 month ago

OpenSIPS version you are running

3.4.5

Crash Core Dump

#0  0x00007efc435bcde7 in dlg_ctx_get_ptr (dlg=0xd6f6d7271646464, pos=0) at dlg_ctx.c:65
#1  0x00007efc408ee4b3 in free_acc_ctx (ctx=0x7efc4498ad38) at acc_logic.c:175
#2  unref_acc_ctx (ctx=0x7efc4498ad38) at acc_logic.c:1219
#3  0x000055c522dee398 in context_destroy (ctxtype=ctxtype@entry=CONTEXT_DIALOG, ctx=ctx@entry=0x7efc449af938) at context.c:111
#4  0x00007efc435fa8ec in free_dlg_dlg (dlg=dlg@entry=0x7efc449af810) at dlg_hash.c:174
#5  0x00007efc435fe883 in destroy_dlg (dlg=dlg@entry=0x7efc449af810) at dlg_hash.c:271
#6  0x00007efc435bf315 in dlg_timer_remove_from_db (cell=0x7efc449af810) at dlg_db_handler.c:936
#7  0x00007efc435c6a2c in dialog_update_db (ticks=16080, do_lock=0x1) at dlg_db_handler.c:1774
#8  0x000055c522ef83a6 in handle_timer_job () at timer.c:1018
#9  0x000055c5230538cd in handle_io (fm=0x7efc464699d8, idx=3, event_type=1) at net/net_tcp_proc.c:204
#10 0x000055c523054d45 in io_wait_loop_epoll (h=<optimized out>, t=<optimized out>, repeat=<optimized out>) at net/../io_wait_loop.h:305
#11 tcp_worker_proc_loop () at net/net_tcp_proc.c:442
#12 0x000055c52304e3ce in tcp_start_processes (chd_rank=chd_rank@entry=0x55c5231b4ff8 <chd_rank>, startup_done=startup_done@entry=0x0) at net/net_tcp.c:2119
#13 0x000055c522dc5447 in main_loop () at main.c:243

(gdb) f 1
#1  0x00007efc408ee4b3 in free_acc_ctx (ctx=0x7efc4498ad38) at acc_logic.c:175
175 acc_logic.c: No such file or directory.
(gdb) p T
$1 = (struct cell *) 0x7efc449953f8
(gdb) p T->dialog_ctx
$2 = (void *) 0xd6f6d7271646464

Note that there exists a dangling T pointer ( probably pointing to an already de-allocated transaction ). Since we do not have a T context here, ACC should probably just rely on the dialog ctx ( either through the stack as params, or in the current processing ctx )

Describe the traffic that generated the bug Unknown

To Reproduce Unknown

Relevant System Logs None

OS/environment information Debian 11.10, installed from official OpenSIPS repo.

Additional context OpenSIPS running without B2B, generating ACC ( cdrs | failed ) with dialog context , doing push notifications via manual notify_on_event and running local_route for various script processing. Dialogs destroyed on a per timer basis.

github-actions[bot] commented 2 weeks ago

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.