[sr-dev] git:master:649b789c: call_control: check return values and free in case of errors in fixup

Module: kamailio Branch: master Commit: 649b789ccde40778543f2a973a1c01495a2cba8b URL: https://github.com/kamailio/kamailio/commit/649b789ccde40778543f2a973a1c014… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2017-07-30T18:18:24+02:00 call_control: check return values and free in case of errors in fixup --- Modified: src/modules/call_control/call_control.c --- Diff: https://github.com/kamailio/kamailio/commit/649b789ccde40778543f2a973a1c014… Patch: https://github.com/kamailio/kamailio/commit/649b789ccde40778543f2a973a1c014… --- diff --git a/src/modules/call_control/call_control.c b/src/modules/call_control/call_control.c index e1776de61a..689a16d1fd 100644 --- a/src/modules/call_control/call_control.c +++ b/src/modules/call_control/call_control.c @@ -245,6 +245,7 @@ int cc_parse_param(void *val, AVP_List** avps) { char *p = NULL; + char *p0 = NULL; str s, content; AVP_List *mp = NULL; @@ -258,13 +259,13 @@ cc_parse_param(void *val, AVP_List** avps) { return -1; } - p = (char*) pkg_malloc (content.len + 1); - CHECK_ALLOC(p); + p0 = (char*) pkg_malloc (content.len + 1); + CHECK_ALLOC(p0); + p = p0; p[content.len] = '\0'; memcpy(p, content.s, content.len); - for (;*p != '\0';) { mp = (AVP_List*) pkg_malloc (sizeof(AVP_List)); @@ -296,8 +297,13 @@ cc_parse_param(void *val, AVP_List** avps) { s.len = strlen(p); p = pv_parse_spec(&s, mp->pv); + if(p==NULL) { + LM_ERR("failed to parse pv spec\n"); + goto error; + } for (; isspace(*p); p++); + *avps = mp; } @@ -310,6 +316,7 @@ cc_parse_param(void *val, AVP_List** avps) { } pkg_free(mp); } + if(p0) pkg_free(p0); return -1; } @@ -581,6 +588,7 @@ make_custom_request(struct sip_msg *msg, CallInfo *call) { static char request[8192]; int len = 0; + int len0 = 0; AVP_List *al; pv_value_t pt; @@ -601,21 +609,26 @@ make_custom_request(struct sip_msg *msg, CallInfo *call) } for (; al; al = al->next) { - pv_get_spec_value(msg, al->pv, &pt); + if(pv_get_spec_value(msg, al->pv, &pt)<0) { + LM_ERR("failed to get pv value\n"); + return NULL; + } if (pt.flags & PV_VAL_INT) { - len += snprintf(request + len, sizeof(request), + len += snprintf(request + len0, sizeof(request)-len0, "%.*s = %d ", al->name.len, al->name.s, pt.ri); } else if (pt.flags & PV_VAL_STR) { - len += snprintf(request + len, sizeof(request), + len += snprintf(request + len0, sizeof(request)-len0, "%.*s = %.*s ", al->name.len, al->name.s, pt.rs.len, pt.rs.s); } - if (len >= sizeof(request)) { - LM_ERR("callcontrol request is longer than %ld bytes\n", (unsigned long)sizeof(request)); + if (len >= sizeof(request)-len0) { + LM_ERR("callcontrol request is longer than %ld bytes\n", + (unsigned long)sizeof(request)); return NULL; - } + } + len0 = len; }