git:3.1: dialog(k): reset the pointer value after free - sr-dev

24 Nov 2010

Module: sip-router
Branch: 3.1
Commit: a4b121c5d654c8c4656506d20d9dc660dff50724
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a4b121c5...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Fri Oct 29 11:52:59 2010 +0200
dialog(k): reset the pointer value after free
- otherwise may result in double free, reported by Alex Balashov
(cherry picked from commit 4e196f47767dc8da8da560f57afc92add541b672)
---
modules_k/dialog/dlg_hash.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules_k/dialog/dlg_hash.c b/modules_k/dialog/dlg_hash.c
index 3ec22a4..0c14f05 100644
--- a/modules_k/dialog/dlg_hash.c
+++ b/modules_k/dialog/dlg_hash.c
@@ -297,8 +297,16 @@ int dlg_set_leg_info(struct dlg_cell *dlg, str* tag, str *rr, str *contact,
    dlg->cseq[leg].s = (char*)shm_malloc( cseq->len );
    if ( dlg->tag[leg].s==NULL || dlg->cseq[leg].s==NULL) {
    	LM_ERR("no more shm mem\n");
-		if (dlg->tag[leg].s) shm_free(dlg->tag[leg].s);
-		if (dlg->cseq[leg].s) shm_free(dlg->cseq[leg].s);
+		if (dlg->tag[leg].s)
+		{
+			shm_free(dlg->tag[leg].s);
+			dlg->tag[leg].s = NULL;
+		}
+		if (dlg->cseq[leg].s)
+		{
+			shm_free(dlg->cseq[leg].s);
+			dlg->cseq[leg].s = NULL;
+		}
    	return -1;
    }
    p = dlg->tag[leg].s;

    