[CRASH]TLS+SRTP causes memory overflow and crashes

[menglj]

OpenSIPS version you are running

[root~]# opensips -V
version: opensips 3.3.5 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: fefc271cc
main.c compiled on 14:22:55 Nov  9 2023 with gcc 8

Crash Core Dump
openisps_mem.log

Describe the traffic that generated the bug
The called party has set up TLS and SRTP, Opensips uses rtp to dial the called party and gets a 488 response. Perform the following operations to dial again.

# local_users.cfg 
route[LOCAL_USERS] {
   .....
    t_newtran();
    t_wait_for_new_branches();
    $avp(filter) = "aor="+$rU+"@"+$rd;
    notify_on_event("E_UL_CONTACT_UPDATE", $avp(filter), "fork_call", $var(PN_TIMEOUT));

      if (!isflagset("TO_LOCAL_USER")){
        setflag("TO_LOCAL_USER");
        uac_replace_from( , "sip:$fU@$td");
      }
      route(PUBLISH);
}

route[fork_call]  {
  t_inject_branches("event");
}

# routes_onreply.cfg
onreply_route[2] {
....

  if (t_check_status("488|415")) {
      if (isflagset("TO_LOCAL_USER") && $dlg_val(force_srtp) != "yes"){
        t_wait_no_more_branches();
      }
      exit();
  }

}

# routes_failure.cfg
failure_route[1] {
  if (t_check_status("488|415")) {
    rtpengine_delete();
    if (isflagset("TO_LOCAL_USER") && $dlg_val(force_srtp) != "yes"){
      xlog("L_INFO","$ci|$rm|$ru 488/415 (Not Acceptable Here/Unsupported Media Type), the UAC wants to have SRTP?");
      $dlg_val(force_srtp) = "yes";
      $var(inc_cseq) = $(avp(original_cseq){s.int}) + 1;
      remove_hf("CSeq:");
      append_hf("CSeq: $var(inc_cseq) $rm\r\n", "Call-ID");
      xlog("L_INFO", "[INCREASE_CSEQ]: [F=$fu R=$ru D=$du M=$rm IP=($si:$sp $socket_in(ip):$socket_in(port)) ID=$ci CSeq: $avp(original_cseq) -> $var(inc_cseq)");
      route(LOCAL_USERS);
      route(RELAY);
    }
  }
}

OS/environment information

• Operating System:

Rocky Linux release 8.8 (Green Obsidian)  
Linux 4.18.0-477.27.1.el8_8.x86_64 #1 SMP Wed Sep 20 15:55:39 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

• OpenSIPS installation: manual packages

• /etc/default/opensips: S_MEMORY=2048 P_MEMORY=16

[bogdan-iancu]

Hi @menglj , Unfortunately the 3.3 versions are old and no longer maintained. Only 3.4 and 3.5 are. So, there is a high probability to have the issue fixed in the latest version. You should consider upgrading.
Even more, without a GDB backtrace (from the core file), it is impossible to pin point the issue - are you able to extract one ? (see https://opensips.org/Documentation/TroubleShooting-Crash)

[menglj]

Hi @bogdan-iancu ,
Thank you very much for your help.

OpenSIPS version you are running

[root~]# opensips -V
version: opensips 3.3.10 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: 073259087
main.c compiled on 12:18:26 Jan  9 2025 with gcc 8

Crash Core Dump
opensips-20250109.log

The crash generated two core files:

[root@cba]# ll
-rw------- 1 opensips opensips 2169503744 Jan  9 17:02 core.1743178
-rw------- 1 opensips opensips 2169446400 Jan  9 17:01 core.1743185

[root@cba]# gdb /opt/opensips/sbin/opensips core.1743185
GNU gdb (GDB) Rocky Linux 8.2-20.el8.0.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /opt/opensips/sbin/opensips...done.

warning: Can't open file (null) during file-backed mapping note processing
[New LWP 1743185]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/opt/opensips/sbin/opensips -P /opt/opensips/run/opensips.pid -f /opt/opensips/'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fb445dc2bfa in shm_str_dup (dst=0x7fb44943d3d0, dst=0x7fb44943d3d0, src=0x7fb44943d8c8, src=0x7fb44943d8c8)
    at dlg_hash.c:376
376		return dlg->legs_no[DLG_LEGS_USED]++;
Missing separate debuginfos, use: yum debuginfo-install brotli-1.0.6-3.el8.x86_64 cyrus-sasl-lib-2.1.27-6.el8_5.x86_64 glibc-2.28-225.el8_8.6.x86_64 gmp-6.1.2-10.el8.x86_64 gnutls-3.6.16-6.el8_7.x86_64 json-c-0.13.1-3.el8.x86_64 keyutils-libs-1.5.10-9.el8.x86_64 krb5-libs-1.18.2-25.el8_8.x86_64 libcom_err-1.45.6-5.el8.x86_64 libcurl-7.61.1-30.el8_8.3.x86_64 libffi-3.1-24.el8.x86_64 libidn2-2.2.0-1.el8.x86_64 libmicrohttpd-0.9.59-3.el8.x86_64 libnghttp2-1.33.0-5.el8_8.x86_64 libpsl-0.20.2-6.el8.x86_64 libselinux-2.9-8.el8.x86_64 libssh-0.9.6-10.el8_8.x86_64 libtasn1-4.13-4.el8_7.x86_64 libunistring-0.9.9-3.el8.x86_64 libxcrypt-4.1.1-6.el8.x86_64 libxml2-2.9.7-16.el8_8.1.x86_64 mariadb-connector-c-3.1.11-2.el8_3.x86_64 nettle-3.4.1-7.el8.x86_64 openldap-2.4.46-18.el8.x86_64 openssl-libs-1.1.1k-9.el8_7.x86_64 p11-kit-0.23.22-1.el8.x86_64 pcre2-10.32-3.el8_6.x86_64 sssd-client-2.8.2-3.el8_8.x86_64 xz-libs-5.2.4-4.el8_6.x86_64 zlib-1.2.11-21.el8_7.x86_64
(gdb) bt full
#0  0x00007fb445dc2bfa in shm_str_dup (dst=0x7fb44943d3d0, dst=0x7fb44943d3d0, src=0x7fb44943d8c8, src=0x7fb44943d8c8)
    at dlg_hash.c:376
        __FUNCTION__ = "shm_str_dup"
#1  dlg_clone_callee_leg (dlg=dlg@entry=0x7fb44946c0b0, cloned_leg_idx=cloned_leg_idx@entry=4) at dlg_hash.c:365
        leg = 0x7fb44943d348
        src_leg = 0x7fb44943d840
        __FUNCTION__ = "dlg_clone_callee_leg"
#2  0x00007fb445d9ec2e in push_reply_in_dialog (mangled_to=0x7ffe611b9210, mangled_from=0x7ffe611b9200, 
    dlg=<optimized out>, t=<optimized out>, rpl=<optimized out>) at dlg_handlers.c:531
        tag = {
          s = 0xad4a67 <buf+231> "3a6d146f\r\nFrom: \"menglj3Yealink T28P\" <sip:7102@ceshiceshi003>;tag=c1d39c7b-b5b3-4f30-a99a-8c2483101e7b\r\nCall-ID: 5c18bf7d-c9f4-4e09-a2fd-7dfb32c5b623\r\nCSeq: 26672 INVITE\r\nUser-Agent: WCALL for androi"..., len = 8}
        contact = {s = 0x7fb4403c8c70 <cmds+2416> "\022", len = 1077709920}
        rr_set = {s = 0x7fb4c86dc010 "\324~k", len = 7136928}
        skip_rrs = 0
        cseq_no = <optimized out>
        leg = 4
        tag = <optimized out>
        contact = <optimized out>
        rr_set = <optimized out>
        skip_rrs = <optimized out>
        cseq_no = <optimized out>
        leg = <optimized out>
        __FUNCTION__ = "push_reply_in_dialog"
#3  dlg_onreply (t=<optimized out>, type=<optimized out>, param=<optimized out>) at dlg_handlers.c:637
        rpl = <optimized out>
        req = <optimized out>
        dlg = <optimized out>
        new_state = 0
        old_state = 11356775
        unref = 1077709936
        event = <optimized out>
        mangled_from = {
          s = 0x7fb44943bbd2 "From: \"menglj3Yealink T28P\" <sip:7102@ceshiceshi003>;tag=c1d39c7b-b5b3-4f30-a99a-8c2483101e7b\r\nTo: <sip:7101@ceshiceshi003>\r\nContact: <sip:[email protected]:6060;did=5a8.4e294a63>\r\nCall-ID: 5c18bf7d-c9"..., len = 95}
        mangled_to = {s = 0x0, len = 0}
        req_out_buff = <optimized out>
        __FUNCTION__ = "dlg_onreply"
#4  0x00007fb44084c831 in run_any_trans_callbacks (type=type@entry=8, trans=trans@entry=0x7fb4493e72f0, 
    req=0x7fb44942ad78, rpl=rpl@entry=0x7fb4c9384380, code=code@entry=180, list=<optimized out>, list=<optimized out>)
    at t_hooks.c:214
        params = {req = 0x7fb44942ad78, rpl = 0x7fb4c9384380, code = 180, param = 0x7fb44946cf90, extra1 = 0x0, 
          extra2 = 0x0}
        cbp = 0x7fb44946cf80
        backup = 0xabe070 <global_avps>
        trans_backup = 0x7fb4493e72f0
        __FUNCTION__ = "run_any_trans_callbacks"
#5  0x00007fb44084d6e8 in run_trans_callbacks (type=type@entry=8, trans=trans@entry=0x7fb4493e72f0, 
    req=<optimized out>, rpl=rpl@entry=0x7fb4c9384380, code=code@entry=180) at t_hooks.c:233
No locals.
--Type <RET> for more, q to quit, c to continue without paging--c
#6  0x00007fb4407fe201 in relay_reply (t=0x7fb4493e72f0, p_msg=<optimized out>, branch=<optimized out>, msg_status=180, cancel_bitmap=0x7ffe611b98a4) at t_reply.c:1295
        relay = 3
        save_clone = 0
        buf = 0x0
        res_len = 0
        relayed_code = 0
        relayed_msg = 0x7fb4c9384380
        bm = {to_tag_val = {s = 0x7fb44942ad78 "\004", len = -919059584}}
        totag_retr = 0
        reply_status = RPS_PROVISIONAL
        uas_rb = 0x7fb4493e73f0
        cb_s = {s = 0x0, len = 0}
        text = {s = 0x7ffe000000b4 <error: Cannot access memory at address 0x7ffe000000b4>, len = 0}
        __FUNCTION__ = "relay_reply"
#7  0x00007fb4407ff5cf in reply_received (p_msg=0x7fb4c9384380) at t_reply.c:1667
        msg_status = 180
        last_uac_status = <optimized out>
        branch = 3
        reply_status = <optimized out>
        timer = 0
        cancel_bitmap = 0
        uac = 0x7fb4493e7ac8
        t = 0x7fb4493e72f0
        backup_list = <optimized out>
        has_reply_route = <optimized out>
        old_route_type = <optimized out>
        __FUNCTION__ = "reply_received"
#8  0x00000000004a697e in forward_reply (msg=msg@entry=0x7fb4c9384380) at forward.c:499
        new_buf = 0x0
        to = 0x0
        new_len = 0
        mod = 0x7fb4c871d740
        proto = <optimized out>
        id = 0
        send_sock = <optimized out>
        s = <optimized out>
        len = <optimized out>
        __FUNCTION__ = "forward_reply"
#9  0x0000000000473f03 in receive_msg (buf=0xad4980 <buf> "SIP/2.0 180 Ringing\r\nVia: SIP/2.0/UDP 4.41.13.83:6060;branch=z9hG4bKcdba.f1e8ec6.3\r\nContact: <sip:[email protected]:40247>;+sip.instance=\"<urn:uuid:5a4c73df-047a-406e-8433-c4d24cdb813d>\";reg-id=1\r\nTo"..., len=<optimized out>, rcv_info=rcv_info@entry=0x7ffe611b9ad0, existing_context=existing_context@entry=0x0, msg_flags=msg_flags@entry=0) at receive.c:278
        ctx = 0x7fb4c93852a8
        msg = 0x7fb4c9384380
        start = {tv_sec = 0, tv_usec = 0}
        rc = 3
        old_route_type = 4
        tmp = <optimized out>
        in_buff = {s = 0xad4980 <buf> "SIP/2.0 180 Ringing\r\nVia: SIP/2.0/UDP 4.41.13.83:6060;branch=z9hG4bKcdba.f1e8ec6.3\r\nContact: <sip:[email protected]:40247>;+sip.instance=\"<urn:uuid:5a4c73df-047a-406e-8433-c4d24cdb813d>\";reg-id=1\r\nTo"..., len = 526}
        __FUNCTION__ = "receive_msg"
#10 0x000000000067e951 in udp_read_req (si=<optimized out>, bytes_read=<optimized out>) at net/proto_udp/proto_udp.c:186
        ri = {src_ip = {af = 2, len = 4, u = {addrl = {3041486559, 5}, addr32 = {3041486559, 0, 5, 0}, addr16 = {26335, 46409, 0, 0, 5, 0, 0, 0}, addr = "\337fI\265\000\000\000\000\005\000\000\000\000\000\000"}}, dst_ip = {af = 2, len = 4, u = {addrl = {184574986, 0}, addr32 = {184574986, 0, 0, 0}, addr16 = {25610, 2816, 0, 0, 0, 0, 0, 0}, addr = "\nd\000\v", '\000' <repeats 11 times>}}, src_port = 25492, dst_port = 6060, proto = 1, proto_reserved1 = 0, proto_reserved2 = 0, src_su = {s = {sa_family = 2, sa_data = "c\224\337fI\265\000\000\000\000\000\000\000"}, sin = {sin_family = 2, sin_port = 37987, sin_addr = {s_addr = 3041486559}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2, sin6_port = 37987, sin6_flowinfo = 3041486559, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 3365496824}}, bind_address = 0x7fb4c87148f8}
        len = <optimized out>
        buf = "SIP/2.0 180 Ringing\r\nVia: SIP/2.0/UDP 4.41.13.83:6060;branch=z9hG4bKcdba.f1e8ec6.3\r\nContact: <sip:[email protected]:40247>;+sip.instance=\"<urn:uuid:5a4c73df-047a-406e-8433-c4d24cdb813d>\";reg-id=1\r\nTo"...
        tmp = <optimized out>
        fromlen = 16
        p = <optimized out>
        msg = {s = 0xad4980 <buf> "SIP/2.0 180 Ringing\r\nVia: SIP/2.0/UDP 4.41.13.83:6060;branch=z9hG4bKcdba.f1e8ec6.3\r\nContact: <sip:[email protected]:40247>;+sip.instance=\"<urn:uuid:5a4c73df-047a-406e-8433-c4d24cdb813d>\";reg-id=1\r\nTo"..., len = 526}
        __FUNCTION__ = "udp_read_req"
#11 0x00000000006510a9 in handle_io (idx=<optimized out>, event_type=<optimized out>, fm=<optimized out>) at net/net_udp.c:295
        n = <optimized out>
        read = 0
        n = <optimized out>
        read = <optimized out>
        __FUNCTION__ = "handle_io"
#12 io_wait_loop_epoll (repeat=<optimized out>, t=<optimized out>, h=<optimized out>) at net/../io_wait_loop.h:311
        ret = 1
        n = 1
        r = 0
        i = <optimized out>
        e = <optimized out>
        ep_event = {events = 3362867448, data = {ptr = 0x700007fb4, fd = 32692, u32 = 32692, u64 = 30064803764}}
        fd = <optimized out>
        curr_time = 28
        __FUNCTION__ = "io_wait_loop_epoll"
#13 0x00000000006561e7 in udp_start_processes (chd_rank=chd_rank@entry=0xabe0b0 <chd_rank>, startup_done=startup_done@entry=0x7fb4493c9ea0) at net/net_udp.c:520
        si = <optimized out>
        p_id = <optimized out>
        i = <optimized out>
        p = <optimized out>
        __FUNCTION__ = "udp_start_processes"
#14 0x000000000041b846 in main_loop () at main.c:228
        startup_done = 0x7fb4493c9ea0
        last_check = 0
        rc = <optimized out>
        chd_rank = 2
        startup_done = <optimized out>
        last_check = <optimized out>
        rc = <optimized out>
        __FUNCTION__ = "main_loop"
#15 main (argc=<optimized out>, argv=<optimized out>) at main.c:924
        c = <optimized out>
        r = 0
        tmp = 0x7ffe611bbea0 ""
        tmp_len = <optimized out>
        port = <optimized out>
        proto = <optimized out>
        protos_no = <optimized out>
        options = 0x6c3cf8 "f:cCm:M:b:l:n:N:rRvdDFEVhw:t:u:g:p:P:G:W:o:a:k:s:"
        seed = 3714821280
        rfd = <optimized out>
        __FUNCTION__ = "main"
(gdb) 

[root@cbas]# gdb /opt/opensips/sbin/opensips core.1743178
GNU gdb (GDB) Rocky Linux 8.2-20.el8.0.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /opt/opensips/sbin/opensips...done.

warning: Can't open file (null) during file-backed mapping note processing
[New LWP 1743178]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/opt/opensips/sbin/opensips -P /opt/opensips/run/opensips.pid -f /opt/opensips/'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007fb4c972bacf in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: yum debuginfo-install brotli-1.0.6-3.el8.x86_64 cyrus-sasl-lib-2.1.27-6.el8_5.x86_64 glibc-2.28-225.el8_8.6.x86_64 gmp-6.1.2-10.el8.x86_64 gnutls-3.6.16-6.el8_7.x86_64 json-c-0.13.1-3.el8.x86_64 keyutils-libs-1.5.10-9.el8.x86_64 krb5-libs-1.18.2-25.el8_8.x86_64 libcom_err-1.45.6-5.el8.x86_64 libcurl-7.61.1-30.el8_8.3.x86_64 libffi-3.1-24.el8.x86_64 libidn2-2.2.0-1.el8.x86_64 libmicrohttpd-0.9.59-3.el8.x86_64 libnghttp2-1.33.0-5.el8_8.x86_64 libpsl-0.20.2-6.el8.x86_64 libselinux-2.9-8.el8.x86_64 libssh-0.9.6-10.el8_8.x86_64 libtasn1-4.13-4.el8_7.x86_64 libunistring-0.9.9-3.el8.x86_64 libxcrypt-4.1.1-6.el8.x86_64 libxml2-2.9.7-16.el8_8.1.x86_64 mariadb-connector-c-3.1.11-2.el8_3.x86_64 nettle-3.4.1-7.el8.x86_64 openldap-2.4.46-18.el8.x86_64 openssl-libs-1.1.1k-9.el8_7.x86_64 p11-kit-0.23.22-1.el8.x86_64 pcre2-10.32-3.el8_6.x86_64 sssd-client-2.8.2-3.el8_8.x86_64 xz-libs-5.2.4-4.el8_6.x86_64 zlib-1.2.11-21.el8_7.x86_64
(gdb) bt full
#0  0x00007fb4c972bacf in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fb4c96feea5 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00000000005540f9 in sig_alarm_abort (signo=<optimized out>) at shutdown.c:162
        __FUNCTION__ = "sig_alarm_abort"
#3  <signal handler called>
No symbol table info available.
#4  0x00007fb4c971612b in sched_yield () from /lib64/libc.so.6
No symbol table info available.
#5  0x00007fb445dce278 in get_lock (lock=<optimized out>) at ../../parser/../mem/../fastlock.h:230
        i = 0
        i = <optimized out>
#6  next_state_dlg (dlg=dlg@entry=0x7fb44946c0b0, event=event@entry=1, dir=dir@entry=2, 
    old_state=old_state@entry=0x7ffe611b9080, new_state=new_state@entry=0x7ffe611b9058, 
    unref=unref@entry=0x7ffe611b9090, last_dst_leg=last_dst_leg@entry=0, 
    replicate_events=replicate_events@entry=1 '\001') at dlg_hash.c:1179
        d_entry = 0x7fb449124d60
        __FUNCTION__ = "next_state_dlg"
#7  0x00007fb445d9db72 in dlg_onreply (t=t@entry=0x0, type=type@entry=4096, param=param@entry=0x7ffe611b94c0)
    at dlg_handlers.c:703
        rpl = 0x0
        req = <optimized out>
        dlg = <optimized out>
        new_state = 39094340
        old_state = 1048427360
        unref = 0
        event = 1
        mangled_from = {s = 0x0, len = 0}
        mangled_to = {s = 0x0, len = 0}
        req_out_buff = <optimized out>
        __FUNCTION__ = "dlg_onreply"
#8  0x00007fb445da06f3 in unreference_dialog_create (dialog=<optimized out>) at dlg_handlers.c:1248
        params = {req = 0x0, rpl = 0x0, code = 0, param = 0x7ffe611b94b8, extra1 = 0x0, extra2 = 0x0}
#9  0x00007fb44084cadb in empty_tmcb_list (head=head@entry=0x7fb4493e7360) at t_hooks.c:53
        cbp = 0x0
        cbp_tmp = <optimized out>
        __FUNCTION__ = "empty_tmcb_list"
#10 0x00007fb44080a883 in free_cell (dead_cell=0x7fb4493e72f0) at h_table.c:127
        b = <optimized out>
        i = <optimized out>
        rpl = <optimized out>
        tt = <optimized out>
        foo = <optimized out>
        p = <optimized out>
        __FUNCTION__ = "free_cell"
#11 0x00007fb44080d76b in free_hash_table () at h_table.c:357
        p_cell = <optimized out>
        tmp_cell = 0x0
        i = 43996
        __FUNCTION__ = "free_hash_table"
#12 0x00007fb440809c72 in tm_shutdown () at t_funcs.c:91
--Type <RET> for more, q to quit, c to continue without paging--c
        __FUNCTION__ = "tm_shutdown"
#13 0x00000000005121db in destroy_module (m=0x7fb4c871d740, skip_others=<optimized out>) at sr_module.c:555
        dep = 0x0
#14 0x00000000005121f3 in destroy_module (m=0x7fb4c871ad80, skip_others=<optimized out>) at sr_module.c:552
        dep = 0x7fb4c88a6298
#15 0x0000000000512207 in destroy_module (m=0x7fb4c871b728, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#16 0x0000000000512207 in destroy_module (m=0x7fb4c871b9d8, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#17 0x0000000000512207 in destroy_module (m=0x7fb4c871bb58, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#18 0x0000000000512207 in destroy_module (m=0x7fb4c871bd70, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#19 0x0000000000512207 in destroy_module (m=0x7fb4c871c0b8, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#20 0x0000000000512207 in destroy_module (m=0x7fb4c871c238, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#21 0x0000000000512207 in destroy_module (m=0x7fb4c871c4e8, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#22 0x0000000000512207 in destroy_module (m=0x7fb4c871c668, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#23 0x0000000000512207 in destroy_module (m=0x7fb4c871c880, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#24 0x0000000000512207 in destroy_module (m=0x7fb4c871cb20, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#25 0x0000000000512207 in destroy_module (m=0x7fb4c871cca0, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#26 0x0000000000512207 in destroy_module (m=0x7fb4c871ce20, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#27 0x0000000000512207 in destroy_module (m=0x7fb4c871d260, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#28 0x0000000000512207 in destroy_module (m=0x7fb4c871d5c0, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#29 0x0000000000512207 in destroy_module (m=0x7fb4c871d740, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#30 0x0000000000512207 in destroy_module (m=0x7fb4c871e650, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#31 0x0000000000512207 in destroy_module (m=0x7fb4c871ec00, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#32 0x0000000000512207 in destroy_module (m=0x7fb4c871ed80, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#33 0x0000000000512207 in destroy_module (m=0x7fb4c871ef00, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#34 0x0000000000512207 in destroy_module (m=0x7fb4c871f080, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#35 0x0000000000512207 in destroy_module (m=0x7fb4c871f660, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#36 0x0000000000512207 in destroy_module (m=0x7fb4c871fe00, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#37 0x0000000000512207 in destroy_module (m=0x7fb4c8720190, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#38 0x0000000000512207 in destroy_module (m=0x7fb4c87212e0, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#39 0x0000000000512207 in destroy_module (m=0x7fb4c8721ce0, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#40 0x0000000000512207 in destroy_module (m=0x7fb4c8722600, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#41 0x0000000000512207 in destroy_module (m=0x7fb4c8722818, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#42 0x0000000000512207 in destroy_module (m=0x7fb4c8722a30, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#43 0x0000000000512207 in destroy_module (m=0x7fb4c8722c48, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#44 0x0000000000512207 in destroy_module (m=0x7fb4c87254e0, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#45 0x0000000000512207 in destroy_module (m=0x7fb4c8725660, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#46 0x0000000000512207 in destroy_module (m=0x7fb4c8726a00, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#47 0x0000000000512207 in destroy_module (m=0x7fb4c8726cb8, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#48 0x0000000000512207 in destroy_module (m=0x7fb4c8726ed8, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#49 0x0000000000512207 in destroy_module (m=0x7fb4c8727230, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#50 0x0000000000512207 in destroy_module (m=0x7fb4c8727450, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#51 0x0000000000512207 in destroy_module (m=0x7fb4c8727720, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#52 0x0000000000512207 in destroy_module (m=0x7fb4c8727e78, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#53 0x0000000000512207 in destroy_module (m=0x7fb4c8728328, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#54 0x0000000000512207 in destroy_module (m=0x7fb4c8728c88, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#55 0x0000000000512207 in destroy_module (m=0x7fb4c8728fd8, skip_others=<optimized out>) at sr_module.c:544
        dep = <optimized out>
#56 0x00000000005155d0 in destroy_module (skip_others=0, m=0x7fb4c8729290) at sr_module.c:544
        dep = <optimized out>
        dep = <optimized out>
#57 destroy_module (skip_others=0, m=0x7fb4c87298c8) at sr_module.c:544
        dep = <optimized out>
        dep = <optimized out>
#58 destroy_module (skip_others=0, m=0x7fb4c872af98) at sr_module.c:544
        dep = <optimized out>
        dep = <optimized out>
#59 destroy_module (skip_others=0, m=0x7fb4c872b5e0) at sr_module.c:544
        dep = <optimized out>
        dep = <optimized out>
#60 destroy_module (skip_others=0, m=0x7fb4c872d3b8) at sr_module.c:544
        dep = <optimized out>
        dep = <optimized out>
#61 destroy_module (skip_others=0, m=0x7fb4c872d998) at sr_module.c:544
        dep = <optimized out>
        dep = <optimized out>
#62 destroy_modules () at sr_module.c:565
        mod = <optimized out>
        aux = <optimized out>
        __FUNCTION__ = "destroy_modules"
#63 0x00000000005541f6 in cleanup (show_status=show_status@entry=1) at shutdown.c:86
        __FUNCTION__ = "cleanup"
#64 0x0000000000554e5c in shutdown_opensips (status=status@entry=139) at shutdown.c:250
        proc = <optimized out>
        i = <optimized out>
        n = <optimized out>
        p = <optimized out>
        chld_status = 0
        __FUNCTION__ = "shutdown_opensips"
#65 0x000000000051160f in handle_sigs () at signals.c:115
        chld = 0
        chld_status = 139
        overall_status = 139
        i = <optimized out>
        do_exit = <optimized out>
        __FUNCTION__ = "handle_sigs"
#66 0x000000000041be4f in main_loop () at main.c:295
        startup_done = <optimized out>
        last_check = 0
        rc = <optimized out>
        chd_rank = 17
        startup_done = <optimized out>
        last_check = <optimized out>
        rc = <optimized out>
        __FUNCTION__ = "main_loop"
#67 main (argc=<optimized out>, argv=<optimized out>) at main.c:924
        c = <optimized out>
        r = <optimized out>
        tmp = 0x7ffe611bbea0 ""
        tmp_len = <optimized out>
        port = <optimized out>
        proto = <optimized out>
        protos_no = <optimized out>
        options = 0x6c3cf8 "f:cCm:M:b:l:n:N:rRvdDFEVhw:t:u:g:p:P:G:W:o:a:k:s:"
        seed = 3714821280
        rfd = <optimized out>
        __FUNCTION__ = "main"

system message

Jan  9 17:01:29 cba kernel: opensips[1743185]: segfault at 3 ip 00007fb445dc2bfa sp 00007ffe611b90d0 error 4 in dialog.so[7fb445d6f000+a8000]
Jan  9 17:02:58 cba systemd[1]: opensips.service: Main process exited, code=dumped, status=6/ABRT
Jan  9 17:02:58 cba systemd[1]: opensips.service: Failed with result 'core-dump'.
Jan  9 17:02:58 cba systemd[1]: opensips.service: Service RestartSec=100ms expired, scheduling restart.
Jan  9 17:02:58 cba systemd[1]: opensips.service: Scheduled restart job, restart counter is at 1.
Jan  9 17:02:58 cba opensips[1743318]: Jan  9 17:02:58 [1743318] NOTICE:core:main: config file ok, exiting...

Describe the traffic that generated the bug
The called party has set up TLS and SRTP, Opensips uses rtp to dial the called party and gets a 488 response. Perform the following operations to dial again.

# local_users.cfg 
route[LOCAL_USERS] {
   .....
    t_newtran();
    t_wait_for_new_branches();
    $avp(filter) = "aor="+$rU+"@"+$rd;
    notify_on_event("E_UL_CONTACT_UPDATE", $avp(filter), "fork_call", $var(PN_TIMEOUT));

      if (!isflagset("TO_LOCAL_USER")){
        setflag("TO_LOCAL_USER");
        uac_replace_from( , "sip:$fU@$td");
      }
      route(PUBLISH);
}

route[fork_call]  {
  t_inject_branches("event");
}

# routes_onreply.cfg
onreply_route[2] {
....

  if (t_check_status("488|415")) {
      if (isflagset("TO_LOCAL_USER") && $dlg_val(force_srtp) != "yes"){
        t_wait_no_more_branches();
      }
      exit();
  }

}

# routes_failure.cfg
failure_route[1] {
  if (t_check_status("488|415")) {
    rtpengine_delete();
    if (isflagset("TO_LOCAL_USER") && $dlg_val(force_srtp) != "yes"){
      xlog("L_INFO","$ci|$rm|$ru 488/415 (Not Acceptable Here/Unsupported Media Type), the UAC wants to have SRTP?");
      $dlg_val(force_srtp) = "yes";
      $var(inc_cseq) = $(avp(original_cseq){s.int}) + 1;
      remove_hf("CSeq:");
      append_hf("CSeq: $var(inc_cseq) $rm\r\n", "Call-ID");
      xlog("L_INFO", "[INCREASE_CSEQ]: [F=$fu R=$ru D=$du M=$rm IP=($si:$sp $socket_in(ip):$socket_in(port)) ID=$ci CSeq: $avp(original_cseq) -> $var(inc_cseq)");
      route(LOCAL_USERS);
      route(RELAY);
    }
  }
}

OS/environment information

• Operating System:

Rocky Linux release 8.8 (Green Obsidian)  
Linux 4.18.0-477.27.1.el8_8.x86_64 #1 SMP Wed Sep 20 15:55:39 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

• OpenSIPS installation: manual packages

• /etc/default/opensips: S_MEMORY=2048 P_MEMORY=16

[github-actions]

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.