[CRASH] after adding TLS support (double-free in tls_mgm\tls_domain.c): CRITICAL:core:fm_free: freeing already freed shm pointer #3767
Description
OpenSIPS version you are running
$ opensips -V
version: opensips 3.4.15 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: c7d3a7b
main.c compiled on with gcc 13
Crash Core Dump
https://test.vayosoft.com/_usr_sbin_opensips.122.crash.txt
Describe the traffic that generated the bug
This always happens during stopping the OpenSIP and after at least one connection from a SIP client using TLS.
CRITICAL:core:fm_free: freeing already freed shm pointer (0x747a2d29b860), first free: (null): (null)(0) - aborting!
To Reproduce
My SBC supports UDP and TLS:
socket=udp:x.x.x.x:5060
socket = tls:x.x.x.x:5061
...
loadmodule "proto_udp.so"
loadmodule "proto_tcp.so"
loadmodule "tls_mgm.so"
modparam("tls_mgm", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")
loadmodule "tls_openssl.so"
loadmodule "proto_tls.so"
....
My TLS certificate from Sectigo CA initialized by using database MariaDB installed locally on Ubuntu 24.04 LTS.
tls_mgm table, filled the following fields:
domain=dom, match_ip_adress=x.x.x.x:5061, match_sip_domain=XXX.XXXXX.com, type=2, method=SSLv23, verify_cert=0, require_cert=0, certificate=-----BEGIN CERTIFICATE.... , private_key=-----BEGIN RSA PRIVATE KEY...., crl_check_all=0, crl_dir=[NULL], ca_list=-----BEGIN CERTIFICATE---..., ca_dir=/etc/opensips/tls, dh_params=[NULL], ec_curve=[NULL]
I also tested this issue by configuring all these settings directly from the OpenSIPS configuration - the issue still persists.
I tried to work synchroniously with "proto_tls" -the issue still persists.
modparam("proto_tls", "tls_async", 0) #none asynchroniously
All my SIP clients (Linphone/Zoiper) are successfully authorized with these TLS settings.
Steps to reproduce the behavior:
- Start OpenSIPS
- Connect at least one SIP client using TLS
- Stop OpenSIPS
- Check OpenSIPS crashed file and Opensips log
It is important to note that without TLS support I can't reproduce this crash/bug like this:
socket=udp:x.x.x.x:5060
...
loadmodule "proto_udp.so"
Relevant System Logs
DBG:tls_openssl:openssl_tls_update_fd: New fd is 132
DBG:tls_openssl:openssl_tls_conn_shutdown: first phase of 2-way handshake completed succesfuly
DBG:tls_openssl:openssl_tls_update_fd: New fd is 131
DBG:tls_openssl:openssl_tls_conn_shutdown: first phase of 2-way handshake completed succesfuly
DBG:tls_mgm:tls_free_domain: Freeing domain: default
CRITICAL:core:fm_free: freeing already freed shm pointer (0x76ac4069b848), first free: (null): (null)(0) - aborting!
A double-free occurs in tls_mgm:tls_free_domain after closing TLS connections. The pointer 0x76ac4069b848 is freed twice:
First time in openssl_tls_conn_shutdown (closing the TLS handshake)
Second time in tls_free_domain (freeing the domain)
Why this happens:
You have two active TLS connections (fd 131 and 132) that attempt to free the same shared memory pointer during shutdown.
More detailed opensips.log available on
https://test.vayosoft.com/opensips.log.txt
OS/environment information
- Operating System: Ubuntu 24.04 LTS
- OpenSIPS installation: debs
Additional context
It seems that my problem is very similar to this one:
#2979
I have checked the work around with tls_wolfss and found that the problem: "CRITICAL:core:fm_free: freeing already freed shm pointer (0x747a2d29b860), first free: (null): (null)(0) - aborting!" still persists.