uac_req_send crash Kamailio

[suharik71]

Description

Hello. I use uac_req_send to send registration to the asterisk pool. If some asterisk did not authorize and re-sent the 401 code, the module causes a kamailio crash

Troubleshooting

    ds_select("BACKENDS","0");
    while(ds_set_dst()) {
            xlog("L_DBG",">>> BACKEND du=$du\n");
            $uac_req(ruri)="sip:" + $(du{uri.host});
            $uac_req(furi)="sip:" + $avp(username) + "@" + $(du{uri.host});
            $uac_req(turi)=$uac_req(furi);
            uac_req_send();
            ds_next_dst();
    }

Reproduction

Debugging Data

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/kamailio -P /run/kamailio/kamailio.pid -f /etc/kamailio/kamailio.cfg'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00005557272803b9 in timer_list_expire (t=1180105352, h=0x7f73b30a3bb8, slow_l=0x7f73b30a73a0, slow_mark=2907) at core/timer.c:846
846	core/timer.c: No such file or directory.
(gdb) bt full
#0  0x00005557272803b9 in timer_list_expire (t=1180105352, h=0x7f73b30a3bb8, slow_l=0x7f73b30a73a0, slow_mark=2907) at core/timer.c:846
        tl = 0x7f73b3a49a88
        ret = 0
#1  0x00005557272809cf in timer_handler () at core/timer.c:922
        saved_ticks = 1180105352
        run_slow_timer = 0
        i = 859
        __func__ = "timer_handler"
#2  0x0000555727280f53 in timer_main () at core/timer.c:961
No locals.
#3  0x0000555726f77736 in main_loop () at /build/kamailio-5.6.4+ubuntu22.04/src/main.c:1831
        i = 6
        pid = 0
        si = 0x0
        si_desc = "udp receiver child=5 sock=10.153.5.40:5060\000\000\020\000\000\000\003\000\000\000!\000\000\000\000\262\270\224RE&\035(\247K'WU\000\000WqA'WU\000\000\000\000\000\000\000\000\000\000c\367@'WU\000\000!\000\000\000\000\000\000\000\260\325\022\371s\177\000\000 \236.\220\375\177\000\000ݕ\024'WU\000"
        nrprocs = 6
        woneinit = 1
        __func__ = "main_loop"
#4  0x0000555726f83d11 in main (argc=12, argv=0x7ffd902ea398) at /build/kamailio-5.6.4+ubuntu22.04/src/main.c:3078
        cfg_stream = 0x555727e12380
        c = -1
        r = 0
        tmp = 0x7ffd902ebe36 ""
        tmp_len = 0
        port = 0
        proto = 0
        ahost = 0x0
        aport = 0
        options = 0x55572744e898 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 4270110361
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 0
        n_lst = 0x7ffd902ea398
        p = 0x7ffd902ea310 ""
        st = {st_dev = 25, st_ino = 5514, st_nlink = 2, st_mode = 16888, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1690276408, tv_nsec = 971865637}, st_mtim = {tv_sec = 1690276408,
            tv_nsec = 971865637}, st_ctim = {tv_sec = 1690276408, tv_nsec = 971865637}, __glibc_reserved = {0, 0, 0}}
        tbuf = '\000' <repeats 80 times>, "\377\000\000\000\377\000\000\000\000\377\000\000\000\000\000\000", '/' <repeats 16 times>, "\230\r", '\000' <repeats 14 times>, "`", '\000' <repeats 15 times>, "\001", '\000' <repeats 144 times>...
        option_index = 12
        long_options = {{name = 0x55572740a2e9 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x55572740b84a "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x55572740f6e4 "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x55572740a2ee "subst",
            has_arg = 1, flag = 0x0, val = 1025}, {name = 0x55572740a2f4 "substdef", has_arg = 1, flag = 0x0, val = 1026}, {name = 0x55572740a2fd "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name = 0x55572740a307 "server-id", has_arg = 1, flag = 0x0, val = 1028},
          {name = 0x55572740a311 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name = 0x55572740a31c "modparam", has_arg = 1, flag = 0x0, val = 1030}, {name = 0x55572740a325 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x55572740b967 "debug",
            has_arg = 1, flag = 0x0, val = 1032}, {name = 0x55572740a330 "cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x55572740a33a "atexit", has_arg = 1, flag = 0x0, val = 1034}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        __func__ = "main"
(gdb) info locals
tl = 0x7f73b3a49a88
ret = 0
(gdb) list
841	in core/timer.c
(gdb)

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/kamailio -P /run/kamailio/kamailio.pid -f /etc/kamailio/kamailio.cfg'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f73f575d4d0 in free_hash_table () at /build/kamailio-5.6.4+ubuntu22.04/src/modules/tm/h_table.c:464
464	/build/kamailio-5.6.4+ubuntu22.04/src/modules/tm/h_table.c: No such file or directory.
(gdb) bt full
#0  0x00007f73f575d4d0 in free_hash_table () at /build/kamailio-5.6.4+ubuntu22.04/src/modules/tm/h_table.c:464
        p_cell = 0x0
        tmp_cell = 0x0
        i = 64459
        __func__ = "free_hash_table"
#1  0x00007f73f5793e46 in tm_shutdown () at /build/kamailio-5.6.4+ubuntu22.04/src/modules/tm/t_funcs.c:88
        __func__ = "tm_shutdown"
#2  0x00005557271db17b in destroy_modules () at core/sr_module.c:842
        t = 0x7f73f68a65a0
        foo = 0x7f73f68a59e0
        __func__ = "destroy_modules"
#3  0x0000555726f64029 in cleanup (show_status=1) at /build/kamailio-5.6.4+ubuntu22.04/src/main.c:561
        memlog = 0
        __func__ = "cleanup"
#4  0x0000555726f66044 in shutdown_children (sig=15, show_status=1) at /build/kamailio-5.6.4+ubuntu22.04/src/main.c:704
        __func__ = "shutdown_children"
#5  0x0000555726f697dc in handle_sigs () at /build/kamailio-5.6.4+ubuntu22.04/src/main.c:802
        chld = 0
        chld_status = 139
        any_chld_stopped = 1
        memlog = 0
        __func__ = "handle_sigs"
#6  0x0000555726f78f42 in main_loop () at /build/kamailio-5.6.4+ubuntu22.04/src/main.c:1900
        i = 6
        pid = 37846
        si = 0x0
        si_desc = "udp receiver child=5 sock=10.153.5.40:5060\000\000\020\000\000\000\003\000\000\000!\000\000\000\000\262\270\224RE&\035(\247K'WU\000\000WqA'WU\000\000\000\000\000\000\000\000\000\000c\367@'WU\000\000!\000\000\000\000\000\000\000\260\325\022\371s\177\000\000 \236.\220\375\177\000\000ݕ\024'WU\000"
        nrprocs = 6
        woneinit = 1
        __func__ = "main_loop"
#7  0x0000555726f83d11 in main (argc=12, argv=0x7ffd902ea398) at /build/kamailio-5.6.4+ubuntu22.04/src/main.c:3078
        cfg_stream = 0x555727e12380
        c = -1
        r = 0
        tmp = 0x7ffd902ebe36 ""
        tmp_len = 0
        port = 0
        proto = 0
        ahost = 0x0
        aport = 0
        options = 0x55572744e898 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 4270110361
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 0
        n_lst = 0x7ffd902ea398
        p = 0x7ffd902ea310 ""
        st = {st_dev = 25, st_ino = 5514, st_nlink = 2, st_mode = 16888, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1690276408, tv_nsec = 971865637}, st_mtim = {tv_sec = 1690276408,
            tv_nsec = 971865637}, st_ctim = {tv_sec = 1690276408, tv_nsec = 971865637}, __glibc_reserved = {0, 0, 0}}
        tbuf = '\000' <repeats 80 times>, "\377\000\000\000\377\000\000\000\000\377\000\000\000\000\000\000", '/' <repeats 16 times>, "\230\r", '\000' <repeats 14 times>, "`", '\000' <repeats 15 times>, "\001", '\000' <repeats 144 times>...
        option_index = 12
        long_options = {{name = 0x55572740a2e9 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x55572740b84a "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x55572740f6e4 "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x55572740a2ee "subst",
            has_arg = 1, flag = 0x0, val = 1025}, {name = 0x55572740a2f4 "substdef", has_arg = 1, flag = 0x0, val = 1026}, {name = 0x55572740a2fd "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name = 0x55572740a307 "server-id", has_arg = 1, flag = 0x0, val = 1028},
          {name = 0x55572740a311 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name = 0x55572740a31c "modparam", has_arg = 1, flag = 0x0, val = 1030}, {name = 0x55572740a325 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x55572740b967 "debug",
            has_arg = 1, flag = 0x0, val = 1032}, {name = 0x55572740a330 "cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x55572740a33a "atexit", has_arg = 1, flag = 0x0, val = 1034}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        __func__ = "main"
(gdb) info locals
p_cell = 0x0
tmp_cell = 0x0
i = 64459
__func__ = "free_hash_table"
(gdb) list
459	in /build/kamailio-5.6.4+ubuntu22.04/src/modules/tm/h_table.c

Log Messages

CRITICAL: <core> [core/mem/q_malloc.c:519]: qm_free(): BUG: freeing already freed pointer (0x7f8a6c440050), called from uac: uac_send.c: uac_send_tm_callback(860), first free uac: uac_send.c: uac_send_info_clone(110) - ignoring

CRITICAL: <core> [core/mem/q_malloc.c:123]: qm_debug_check_frag(): BUG: qm: fragm. 0x7f74379f46b0 (address 0x7f74379f46e8) beginning overwritten (0)! Memory allocator was called from uac: uac_send.c:860. Fragment marked by (null):0. Exec from core/mem/q_malloc.c:511.

SIP Traffic

proto:UDP 2023-07-25T10:00:44.452898Z  10.153.5.40:5060 ---> 192.168.50.107:5060

REGISTER sip:192.168.50.107 SIP/2.0
Via: SIP/2.0/UDP 10.153.5.40;branch=z9hG4bK6a0b.834627a6000000000000000000000000.0
To: <sip:3408@192.168.50.107>
From: <sip:3408@192.168.50.107>;tag=b2f228866a24b161d346cfb256d45132-a0527658
CSeq: 10 REGISTER
Call-ID: 2332840947916a3e-39417@10.153.5.40
Max-Forwards: 70
Content-Length: 0
Contact: <sip:3408@10.153.5.40:5060>
Expires: 150
User-Agent: PortSIP UC Client  Android - v11.8.1

proto:UDP 2023-07-25T10:00:44.464436Z  192.168.50.107:5060 ---> 10.153.5.40:5060

SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.153.5.40;rport=5060;received=10.153.5.40;branch=z9hG4bK6a0b.834627a6000000000000000000000000.0
Call-ID: 2332840947916a3e-39417@10.153.5.40
From: <sip:3408@192.168.50.107>;tag=b2f228866a24b161d346cfb256d45132-a0527658
To: <sip:3408@192.168.50.107>;tag=z9hG4bK6a0b.834627a6000000000000000000000000.0
CSeq: 10 REGISTER
WWW-Authenticate: Digest realm="vpp",nonce="1690279244/67fc12dbaf6a76fa34181a4bd504de00",opaque="1680d45809efac86",algorithm=md5,qop="auth"
Server: Asterisk
Content-Length:  0


proto:UDP 2023-07-25T10:00:44.466447Z  10.153.5.40:5060 ---> 192.168.50.107:5060

REGISTER sip:192.168.50.107 SIP/2.0
Via: SIP/2.0/UDP 10.153.5.40;branch=z9hG4bK7a0b.5673b4d4000000000000000000000000.0
To: <sip:3408@192.168.50.107>
From: <sip:3408@192.168.50.107>;tag=b2f228866a24b161d346cfb256d45132-a0527658
CSeq: 11 REGISTER
Call-ID: 2332840947916a3e-39417@10.153.5.40
Max-Forwards: 70
Content-Length: 0
Contact: <sip:3408@10.153.5.40:5060>
Expires: 150
Authorization: Digest username="3408", realm="vpp", nonce="1690279244/67fc12dbaf6a76fa34181a4bd504de00", uri="sip:192.168.50.107", opaque="1680d45809efac86", qop=auth, nc=00000001, cnonce="1935694403", response="38bc75e831e1267ce943bcc50f76390a", algorithm=MD5
User-Agent: PortSIP UC Client  Android - v11.8.1

proto:UDP 2023-07-25T10:00:44.477675Z  192.168.50.107:5060 ---> 10.153.5.40:5060

SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.153.5.40;rport=5060;received=10.153.5.40;branch=z9hG4bK7a0b.5673b4d4000000000000000000000000.0
Call-ID: 2332840947916a3e-39417@10.153.5.40
From: <sip:3408@192.168.50.107>;tag=b2f228866a24b161d346cfb256d45132-a0527658
To: <sip:3408@192.168.50.107>;tag=z9hG4bK7a0b.5673b4d4000000000000000000000000.0
CSeq: 11 REGISTER
WWW-Authenticate: Digest realm="vpp",nonce="1690279244/67fc12dbaf6a76fa34181a4bd504de00",opaque="5adc30b867f02d18",algorithm=md5,qop="auth"
Server: Asterisk
Content-Length:  0

Possible Solutions

Additional Information

• Kamailio Version - output of kamailio -v

version: kamailio 5.6.4 (x86_64/linux)
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 11.3.0

• Operating System:

5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

[github-actions]

This issue is stale because it has been open 6 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks.

[p-barabas]

In version 5.7.2 the issue may still exist. I got some crash connected to uac module. Here is my backtrace:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fae9a2d0859 in __GI_abort () at abort.c:79
#2  0x00005614ad79afd8 in qm_debug_check_frag (qm=0x7fae78e77000, f=0x7fae79805028, file=0x7fae77c8c134 "uac: uac_send.c", line=860, efile=0x5614ad936f99 "core/mem/q_malloc.c", eline=511) at core/mem/q_malloc.c:129
#3  0x00005614ad79f7c1 in qm_free (qmp=0x7fae78e77000, p=0x7fae79805060, file=0x7fae77c8c134 "uac: uac_send.c", func=0x7fae77c8cf10 <__func__.15157> "uac_send_tm_callback", line=860, mname=0x7fae77c8c014 "uac") at core/mem/q_malloc.c:511
#4  0x00005614ad7ab410 in qm_shm_free (qmp=0x7fae78e77000, p=0x7fae79805060, file=0x7fae77c8c134 "uac: uac_send.c", func=0x7fae77c8cf10 <__func__.15157> "uac_send_tm_callback", line=860, mname=0x7fae77c8c014 "uac") at core/mem/q_malloc.c:1350
#5  0x00007fae77c3686b in uac_send_tm_callback (t=0x7fae797dcf40, type=131072, ps=0x7fff8bd990d0) at uac_send.c:860
#6  0x00007fae783abc27 in run_trans_callbacks_internal (cb_lst=0x7fae797dcfe8, type=131072, trans=0x7fae797dcf40, params=0x7fff8bd990d0) at t_hooks.c:241
#7  0x00007fae783abd1e in run_trans_callbacks (type=131072, trans=0x7fae797dcf40, req=0x0, rpl=0x0, code=0) at t_hooks.c:261
#8  0x00007fae782bd8cb in free_cell_helper (dead_cell=0x7fae797dcf40, silent=0, fname=0x7fae783e9f62 "timer.c", fline=653) at h_table.c:165
#9  0x00007fae7837649c in wait_handler (ti=724701450, wait_tl=0x7fae797dcff8, data=0x7fae797dcf40) at timer.c:653
#10 0x00005614ad50be68 in timer_list_expire (t=724701450, h=0x7fae78ef5d18, slow_l=0x7fae78ef95e0, slow_mark=33641) at core/timer.c:857
#11 0x00005614ad50c3a7 in timer_handler () at core/timer.c:922
#12 0x00005614ad50c8d5 in timer_main () at core/timer.c:961
#13 0x00005614ad45fbf3 in main_loop () at main.c:1833
#14 0x00005614ad46ae93 in main (argc=14, argv=0x7fff8bd99b48) at main.c:3086

Any idea about this?

[p-barabas]

Hi,

any idea about this crash? I got 17 crashes in 4 days. The stack trace is the same as above.
In kamailio config I do the followings:

• mobile softphone applications are registered to asterisk through kamailio. Kamailio forwards the requests to asterisk which authenticates the users. In successful authentication Kamailio saves registrations also into location and another table which stores the "active asterisk users".
• when mobile app goes to background registration from location will be deleted but registration between Kamailio and asterisk remains active. Registration timeout between asterisk and kamailio is 2 hours.
• I wrote a rtimer route which runs in every 10 minutes: kamailio checks which registration has less than an hour towards asterisk. If there is such, the following happens:

1. Kamailio sends an async http request to our server which results the sip passwords of users which have to be renewed.
2. In the http reply handler kamailio builds az $uac_req object and calls uac_req_send() to asterisk for each users which registrations have to be renewed.
3. $uac_req(evroute)=1 is set before.
4. In uac:reply event route registration data (refresh time...) is saved into a mysql table.

The crash occurs immediately after or during calling refresh regsistration.

Any idea, how can this crash be eliminated?

[p-barabas]

Here is the full backtrace:

GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/sbin/kamailio...

warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 4110362]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/local/sbin/kamailio -P /var/run/kamailio/kamailio.pid -f /etc/kamailio/kam'.
Program terminated with signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140359291291456) at ./nptl/pthread_kill.c:44
44      ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt full
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140359291291456) at ./nptl/pthread_kill.c:44
        tid = <optimized out>
        ret = 0
        pd = 0x7fa7f1b2c740
        old_mask = {__val = {528280977419, 1438814044166, 0, 0, 93910694406720, 6483051068034487040, 5529999408, 18446744073709551488, 4, 6483051068034487040, 1, 18446744073709551488, 4, 21, 1, 93910688023664}}
        ret = <optimized out>
        pd = <optimized out>
        old_mask = <optimized out>
        ret = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
        __arg3 = <optimized out>
        __arg2 = <optimized out>
        __arg1 = <optimized out>
        _a3 = <optimized out>
        _a2 = <optimized out>
        _a1 = <optimized out>
        __futex = <optimized out>
        resultvar = <optimized out>
        __arg3 = <optimized out>
        __arg2 = <optimized out>
        __arg1 = <optimized out>
        _a3 = <optimized out>
        _a2 = <optimized out>
        _a1 = <optimized out>
        __futex = <optimized out>
        __private = <optimized out>
        __oldval = <optimized out>
        result = <optimized out>
#1  __pthread_kill_internal (signo=6, threadid=140359291291456) at ./nptl/pthread_kill.c:78
No locals.
#2  __GI___pthread_kill (threadid=140359291291456, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
No locals.
#3  0x00007fa7f1b71476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
        ret = <optimized out>
#4  0x00007fa7f1b577f3 in __GI_abort () at ./stdlib/abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {11204472, 4646408, 5572744, 140358732006944, 140358731771904, 47, 6483051068034487040, 140724813621040, 6483051068034487040, 0, 93910686282567, 93910688017824, 93910688018232, 
              140358743675984, 6483051068034487040, 0}}, sa_flags = 1228091018, sa_restorer = 0x0}
        sigs = {__val = {32, 6483051068034487040, 140724813621104, 93910686336197, 1701480744, 337218937, 93910687653044, 0, 93910688018058, 140358731771904, 44, 21474838579, 93909459927052, 140358720490894, 1284195221895, 0}}
#5  0x000055694918b36e in qm_debug_check_frag (qm=0x7fa7d0593000, f=0x7fa7d10ed450, file=0x7fa7cf3365f4 "uac: uac_send.c", line=860, efile=0x556949332db9 "core/mem/q_malloc.c", eline=511) at core/mem/q_malloc.c:129
        p = 0x7fa7f0c99f58
        __func__ = "qm_debug_check_frag"
#6  0x000055694918fbe4 in qm_free (qmp=0x7fa7d0593000, p=0x7fa7d10ed488, file=0x7fa7cf3365f4 "uac: uac_send.c", func=0x7fa7cf3373d0 <__func__.2> "uac_send_tm_callback", line=860, mname=0x7fa7cf3364d4 "uac") at core/mem/q_malloc.c:511
        qm = 0x7fa7d0593000
        f = 0x7fa7d10ed450
        size = 89856
        next = 0x7fa7d10e5658
        prev = 0x7fa7d10cf6f0
        __func__ = "qm_free"
#7  0x000055694919b9aa in qm_shm_free (qmp=0x7fa7d0593000, p=0x7fa7d10ed488, file=0x7fa7cf3365f4 "uac: uac_send.c", func=0x7fa7cf3373d0 <__func__.2> "uac_send_tm_callback", line=860, mname=0x7fa7cf3364d4 "uac") at core/mem/q_malloc.c:1350
No locals.
#8  0x00007fa7cf32b331 in uac_send_tm_callback (t=0x7fa7d11592f0, type=131072, ps=0x7ffd0c86f5d0) at uac_send.c:860
        ret = 11203376
        hdr = 0x55694919883f <qm_info+50>
        response = "\220\354\206\f\375\177\000\000@R\324\361\247\177\000\000@u\233IiU\000\000\b\000\000\000\000\000\000\000i"
        new_auth_hdr = 0x0
        auth = {flags = 0, realm = {s = 0x0, len = 0}, domain = {s = 0x0, len = 0}, nonce = {s = 0x0, len = 0}, opaque = {s = 0x0, len = 0}, qop = {s = 0x0, len = 0}, nc = 0x0, cnonce = 0x0}
        cred = {realm = {s = 0x7fa7f0e15060 "\370\002", len = -256724976}, user = {s = 0x7ffd0c86ead0 "", len = -810742386}, passwd = {s = 0x7fa7f0b2d9e0 "", len = 0}, aflags = 16777216, next = 0xaaf1a8}
        b_hdrs = "h\221\320\361\247\177\000\000\312O\272\361\247\177\000\000ȆV\000\000\000\000\000e\221\320\361\247\177\000\000\000\000\000\000\060\000\000\000\300\362\206\f\375\177\000\000\340\361\206\f\375\177\000\000\000\000\000\000iU\000\000h\r\000\000\000\000\000\000 \260\262\360\005\000\000\000\000\000\000\000\247\177", '\000' <repeats 14 times>, "\375\177\000\000\000\000\000\000\000\000\000\000\n\000\000\000\247\177\000\000f\221\320\361\247\177\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\377\377\377\377\377\377\377\377lλ\361\247\177\000\000~D3IiU", '\000' <repeats 18 times>, "@R\324\361\247\177\000\000@u\233IiU\000\000\314\000\000\000\000\000\000\000"...
        s_hdrs = {s = 0x7ffd0c86ea90 "", len = -256724976}
        uac_r = {method = 0x0, headers = 0x549332db4, body = 0x7ffd0c86ec00, ssock = 0x59f86c9900000000, ssockname = 0x7ffd0c86ec00, dialog = 0x55694918e87e <qm_malloc+2777>, cb_flags = -253670144, cb = 0x7fa7f0b2b010, cbp = 0x7fa7cfeb4a6c, callid = 0x4acfad0d8e}
        tmdlg = {id = {call_id = {s = 0x7fa7cfeb4b70 <__func__.5> "dupl_string_name", len = -806663567}, rem_tag = {s = 0x10 <error: Cannot access memory at address 0x10>, len = -256724976}, loc_tag = {s = 0x46e6c8 <error: Cannot access memory at address 0x46e6c8>, 
              len = -794453264}}, loc_seq = {value = 1, is_set = 0 '\000'}, rem_seq = {value = 1228090809, is_set = 105 'i'}, loc_uri = {s = 0x7fa7f0b2b010 "\001", len = -253669400}, rem_uri = {s = 0x7ffd0c86ebc0 "", len = -256724976}, rem_target = {s = 0x7fa7f0e14e10 "H\005", 
            len = -256724976}, dst_uri = {s = 0x7ffd0c86ec00 "'\002", len = -810742386}, loc_dname = {s = 0x7fa7f0b2fa40 "", len = 0}, rem_dname = {s = 0x1000000 <error: Cannot access memory at address 0x1000000>, len = 48861952}, secure = 128 '\200', state = DLG_NEW, 
          route_set = 0x7fa7d0a59af0, hooks = {ru = {s = 0x0, len = 1227726035}, nh = {s = 0x32 <error: Cannot access memory at address 0x32>, len = 1228090809}, request_uri = 0x18d00000227, next_hop = 0x55694919883f <qm_info+50>, first_route = 0x7ffd0c86ec50, 
            last_route = 0x7fa7f0b2b010}, send_sock = 0x7fa7f0bf60eb}
        tp = 0x7fa7d10ed488
        __func__ = "uac_send_tm_callback"
#9  0x00007fa7cf9bb79c in run_trans_callbacks_internal (cb_lst=0x7fa7d1159398, type=131072, trans=0x7fa7d11592f0, params=0x7ffd0c86f5d0) at t_hooks.c:241
        cbp = 0x7fa7d109e778
        backup_xd = {uri_avps_from = 0x55694947b080 <def_list>, uri_avps_to = 0x55694947b088 <def_list+8>, user_avps_from = 0x55694947b090 <def_list+16>, user_avps_to = 0x55694947b098 <def_list+24>, domain_avps_from = 0x55694947b0a0 <def_list+32>, 
          domain_avps_to = 0x55694947b0a8 <def_list+40>, xavps_list = 0x55694947b1d8 <_xavp_list_head>, xavus_list = 0x55694947b1e0 <_xavu_list_head>, xavis_list = 0x55694947b1e8 <_xavi_list_head>}
--Type <RET> for more, q to quit, c to continue without paging-- c
        __func__ = "run_trans_callbacks_internal"
#10 0x00007fa7cf9bb893 in run_trans_callbacks (type=131072, trans=0x7fa7d11592f0, req=0x0, rpl=0x0, code=0) at t_hooks.c:261
        params = {req = 0x0, rpl = 0x0, param = 0x7fa7d109e788, code = 0, flags = 0, branch = 0, t_rbuf = 0x0, dst = 0x0, send_buf = {s = 0x0, len = 0}}
#11 0x00007fa7cf95ffde in free_cell_helper (dead_cell=0x7fa7d11592f0, silent=0, fname=0x7fa7cfa86442 "timer.c", fline=653) at h_table.c:165
        b = 0x0
        i = 1
        rpl = 0x7ffd0c86f6f0
        tt = 0x1
        foo = 0x0
        cbs = 0x7fa7d083df40
        cbs_tmp = 0x7fa7cf95da29 <futex_get+40>
        __func__ = "free_cell_helper"
#12 0x00007fa7cf9c2796 in wait_handler (ti=867279095, wait_tl=0x7fa7d11593a8, data=0x7fa7d11592f0) at timer.c:653
        p_cell = 0x7fa7d11592f0
        ret = 0
        unlinked = 0
        rcount = 1
        __func__ = "wait_handler"
#13 0x000055694914ccc3 in timer_list_expire (t=867279095, h=0x7fa7d0611b38, slow_l=0x7fa7d0612ac0, slow_mark=8405) at core/timer.c:857
        tl = 0x7fa7d11593a8
        ret = 0
#14 0x000055694914d20d in timer_handler () at core/timer.c:922
        saved_ticks = 867279095
        run_slow_timer = 0
        i = 213
        __func__ = "timer_handler"
#15 0x000055694914d743 in timer_main () at core/timer.c:961
No locals.
#16 0x0000556948e53fcb in main_loop () at main.c:1833
        i = 8
        pid = 0
        si = 0x0
        si_desc = "udp receiver child=7 sock=127.0.0.1:5060\000\065\060\066\060\000\000\000\004\000\000\000\062\000\000\000\000\223\351\002\231l\370Y@P\350\361\247\177\000\000\210\060,IiU\000\000\000\000\000\000\000\000\000\000Ӝ-IiU\000\000\062\000\000\000\000\000\000\000\360\325\304\361\247\177\000\000\360\372\206\f\375\177\000\000\000j\002IiU\000"
        nrprocs = 8
        woneinit = 1
        __func__ = "main_loop"
#17 0x0000556948e5f614 in main (argc=14, argv=0x7ffd0c870068) at main.c:3086
        cfg_stream = 0x556949855380
        c = -1
        r = 0
        tmp = 0x7ffd0c870814 ""
        tmp_len = 37
        port = 0
        proto = -236668592
        ahost = 0x0
        aport = 0
        options = 0x5569492c6268 ":f:cm:M:dVIhEeb:l:L:n:vKrRDTN:W:w:t:u:g:P:G:SQ:O:a:A:x:X:Y:"
        ret = -1
        seed = 1551333326
        rfd = 4
        debug_save = 0
        debug_flag = 0
        dont_fork_cnt = 0
        n_lst = 0x7ffd0c86fcc0
        p = 0x7fa7f1b4af7a "_dl_audit_preinit"
        st = {st_dev = 25, st_ino = 4629, st_nlink = 2, st_mode = 16873, st_uid = 1002, st_gid = 1002, __pad0 = 0, st_rdev = 0, st_size = 80, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1701353239, tv_nsec = 334017865}, st_mtim = {tv_sec = 1701472337, tv_nsec = 891030255}, st_ctim = {tv_sec = 1701472337, tv_nsec = 891030255}, __glibc_reserved = {0, 0, 0}}
        tbuf = "\000\000\000\000\000\000\000\000\r\000\000\000\000\000\000\000`\226\344\361\247\177\000\000\270\201\324\361\247\177\000\000\311X\345HiU\000\000H':IiU\000\000@P\350\361\247\177\000\000q\337\345\361\247\177\000\000\001", '\000' <repeats 15 times>, "\b\271\344\361\247\177\000\000`f\346\361\247\177\000\000\000\000\000\000\000\000\000\000\340\377\206\f\375\177\000\000\016\000\000\000\000\000\000\000h\000\207\f\375\177\000\000\311X\345HiU\000\000'\f\346\361\247\177\000\000\000\000\000\000\000\000\000\000H':IiU\000\000\340\000\207\f\375\177\000\000\000\000\000\000\000\000\000\000\340b\350\361\247\177\000\000\020\237\324\361\247\177\000\000@\020\345\361\247\177\000\000"...
        option_index = 12
        long_options = {{name = 0x5569492c86a6 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x5569492c3514 "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x5569492c86ab "alias", has_arg = 1, flag = 0x0, val = 1024}, {name = 0x5569492c86b1 "subst", has_arg = 1, flag = 0x0, val = 1025}, {name = 0x5569492c86b7 "substdef", has_arg = 1, flag = 0x0, val = 1026}, {name = 0x5569492c86c0 "substdefs", has_arg = 1, flag = 0x0, val = 1027}, {name = 0x5569492c86ca "server-id", has_arg = 1, flag = 0x0, val = 1028}, {name = 0x5569492c86d4 "loadmodule", has_arg = 1, flag = 0x0, val = 1029}, {name = 0x5569492c86df "modparam", has_arg = 1, flag = 0x0, val = 1030}, {name = 0x5569492c86e8 "log-engine", has_arg = 1, flag = 0x0, val = 1031}, {name = 0x5569492c86f3 "debug", has_arg = 1, flag = 0x0, val = 1032}, {name = 0x5569492c86f9 "cfg-print", has_arg = 0, flag = 0x0, val = 1033}, {name = 0x5569492c8703 "atexit", has_arg = 1, flag = 0x0, val = 1034}, {name = 0x5569492c870a "all-errors", has_arg = 0, flag = 0x0, val = 1035}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        __func__ = "main"

[github-actions]

This issue is stale because it has been open 6 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks.

[p-barabas]

Hello, is there any news, update, investigation about this issue?

[github-actions]

This issue is stale because it has been open 6 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks.

[vteliatnykov]

route[REGFWD] {
        xlog("L_INFO", "-----------");

                $uac_req(method) = "REGISTER";

                $uac_req(ruri) = "sip:" + $avp(domain) + ":" + 'PBX_UDP_PORT';
                $uac_req(furi) = "sip:" + $avp(extension) + "@" + $avp(domain);
                $uac_req(turi) = "sip:" + $avp(extension) + "@" + $avp(domain);
                $uac_req(auser) = $avp(extension);
                $uac_req(apasswd) = $avp(secret);
                $uac_req(evroute)=1;
                $uac_req(hdrs) = "Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER\r\n";
                $uac_req(hdrs) = $uac_req(hdrs) + "Contact: <sip:" + $avp(extension) + "@LOCALVIRTUALIP:MY_INTERNAL_UDP_PORT>\r\n";
                $uac_req(hdrs) = $uac_req(hdrs) + "Expires: REGISTER_EXPIRATION\r\n";
                $uac_req(sock) = "udp:LOCALVIRTUALIP:MY_INTERNAL_UDP_PORT";

                xlog("L_INFO", "Forwarding SIP REGISTER to PBX for user $uac_req(furi)");
                uac_req_send();
}

event_route[uac:reply] {
    xlog("L_NOTICE", "[UAC] - $uac_req(method) request from user $uac_req(auser) to $uac_req(ruri) completed with code: $uac_req(evcode)\n");
}

I have also same error

Mar 11 20:57:00 stage-webrtc-kama-01 /usr/sbin/kamailio[162557]: NOTICE: [35ba98b51f649a01-162583@10.160.201.190 REGISTER uac:reply:2:1248] <script>: [UAC] - REGISTER request from user 1001 to sip:10.156.0.6:5060 completed with code: 401
Mar 11 20:57:00 stage-webrtc-kama-01 /usr/sbin/kamailio[162557]: NOTICE: [35ba98b51f649a01-162583@10.160.201.190 REGISTER uac:reply:2:1248] <script>: [UAC] - REGISTER request from user 1001 to sip:10.156.0.6:5060 completed with code: 200
Mar 11 20:57:05 stage-webrtc-kama-01 /usr/sbin/kamailio[162560]: CRITICAL: [123 OPTIONS <null>:1:0] <core> [core/mem/q_malloc.c:535]: qm_free(): BUG: freeing already freed pointer (0x7fc8acac2e58), called from uac: uac_send.c: uac_send_tm_callback(804), first free uac: uac_send.c: uac_resend_tm_callback(686) - ignoring

I execute that route with Timers.

As a workaround, is there any other possibility to handle 403 reply?
I tried to use t_on_failure, but failure route is not executing.

[github-actions]

This issue is stale because it has been open 6 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks.