[CRASH] Cluster dialog + cgrates

[lieaux1626-gif]

OpenSIPS version you are running
version: opensips 3.6.4 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, F_PARALLEL_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: 2367deb
main.c compiled on with gcc 12

Crash Core Dump
coredumpctl info opensips
PID: 605768 (opensips)
UID: 102 (opensips)
GID: 109 (opensips)
Signal: 11 (SEGV)
Timestamp: Wed 2026-04-22 15:23:39 CEST (15min ago)
Command Line: /usr/sbin/opensips -P /run/opensips/opensips.pid -f /etc/opensips/opensips.cfg -m 512 -M 64
Executable: /usr/sbin/opensips
Control Group: /system.slice/opensips.service
Unit: opensips.service
Slice: system.slice
Boot ID: 27bda4e651cd42feac0aba8d212133ae
Machine ID: 99a22f2b5e614ea1a7d1029520b93e99
Hostname: x-opensipsgw-rm-02
Storage: /var/lib/systemd/coredump/core.opensips.102.27bda4e651cd42feac0aba8d212133ae.605768.1776864219000000.zst (present)
Size on Disk: 1.0M
Message: Process 605768 (opensips) of user 102 dumped core.

            Stack trace of thread 605768:
            #0  0x00007f2518250207 tsl (cgrates.so + 0xb207)
            #1  0x00007f251a8f20e0 run_dlg_callbacks (dialog.so + 0x170e0)
            #2  0x00007f251a9168f6 destroy_dlg (dialog.so + 0x3b8f6)
            #3  0x00007f251a91a6ff _unref_dlg (dialog.so + 0x3f6ff)
            #4  0x00007f251a92b9b2 dlg_replicated_delete (dialog.so + 0x509b2)
            #5  0x00007f251a92d75e receive_dlg_repl (dialog.so + 0x5275e)
            #6  0x00007f251af7e239 run_mod_packet_cb (clusterer.so + 0x8239)
            #7  0x000055f199409559 ipc_handle_job (opensips + 0x59559)
            #8  0x000055f199575f50 handle_io (opensips + 0x1c5f50)
            #9  0x000055f1995775d7 io_wait_loop_epoll (opensips + 0x1c75d7)
            #10 0x000055f19956f296 tcp_start_processes (opensips + 0x1bf296)
            #11 0x000055f1993d445d main_loop (opensips + 0x2445d)
            #12 0x00007f253fe0a24a n/a (libc.so.6 + 0x2724a)
            #13 0x00007f253fe0a305 __libc_start_main (libc.so.6 + 0x27305)
            #14 0x000055f1993d4a91 _start (opensips + 0x24a91)
            ELF object binary architecture: AMD x86-64

       PID: 606238 (opensips)
       UID: 102 (opensips)
       GID: 109 (opensips)
    Signal: 11 (SEGV)
 Timestamp: Wed 2026-04-22 15:25:36 CEST (13min ago)

Command Line: /usr/sbin/opensips -P /run/opensips/opensips.pid -f /etc/opensips/opensips.cfg -m 512 -M 64
Executable: /usr/sbin/opensips
Control Group: /system.slice/opensips.service
Unit: opensips.service
Slice: system.slice
Boot ID: 27bda4e651cd42feac0aba8d212133ae
Machine ID: 99a22f2b5e614ea1a7d1029520b93e99
Hostname: x-opensipsgw-rm-02
Storage: /var/lib/systemd/coredump/core.opensips.102.27bda4e651cd42feac0aba8d212133ae.606238.1776864336000000.zst (present)
Size on Disk: 1.0M
Message: Process 606238 (opensips) of user 102 dumped core.

            Stack trace of thread 606238:
            #0  0x00007fc14483c207 tsl (cgrates.so + 0xb207)
            #1  0x00007fc146ede0e0 run_dlg_callbacks (dialog.so + 0x170e0)
            #2  0x00007fc146f028f6 destroy_dlg (dialog.so + 0x3b8f6)
            #3  0x00007fc146f066ff _unref_dlg (dialog.so + 0x3f6ff)
            #4  0x00007fc146f179b2 dlg_replicated_delete (dialog.so + 0x509b2)
            #5  0x00007fc146f1975e receive_dlg_repl (dialog.so + 0x5275e)
            #6  0x00007fc14757e239 run_mod_packet_cb (clusterer.so + 0x8239)
            #7  0x00005593bdb4d559 ipc_handle_job (opensips + 0x59559)
            #8  0x00005593bdcb9f50 handle_io (opensips + 0x1c5f50)
            #9  0x00005593bdcbb5d7 io_wait_loop_epoll (opensips + 0x1c75d7)
            #10 0x00005593bdcb3296 tcp_start_processes (opensips + 0x1bf296)
            #11 0x00005593bdb1845d main_loop (opensips + 0x2445d)
            #12 0x00007fc16c3fa24a n/a (libc.so.6 + 0x2724a)
            #13 0x00007fc16c3fa305 __libc_start_main (libc.so.6 + 0x27305)
            #14 0x00005593bdb18a91 _start (opensips + 0x24a91)
            ELF object binary architecture: AMD x86-64

Describe the traffic that generated the bug
Simple Call with cgrates_auth and cgrates_acc

To Reproduce
Enable cluster in dialog, usrloc and drouting modules.
Autorize call with cgrates_auth and call cgrates_acc in relay.
When the call close the dialog after Bye, the non active nodes received dialog destroy and crash :

CRITICAL:core:sig_usr: segfault in process pid: 595136, id: 13

Relevant System Logs
CRITICAL:core:sig_usr: segfault in process pid: 595136, id: 13

OS/environment information

• Operating System: Debian 12
• OpenSIPS installation: debs
• other relevant information:

[lieaux1626-gif]

Proposed Patch

Do not save local SHM pointers in replicated dialog values
In practice, avoid using cgrX_ctx as a serialized/replicated pointer.

Identify the cgr_acc_ctx using stable dialog keys
For example, dlg->h_entry and dlg->h_id, maintaining a local lookup in the module.

Protect the lookup with a "pinned" refcount
When the callback searches the context:

Gets a reference while the context is still protected
only then uses it
then releases the reference
This avoids the race between lookup and free.