Module: sip-router Branch: 3.2 Commit: d50bf0933db8925d75da09de0036d559c9b34b64 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d50bf093...
Author: pd peter.dunkley@crocodile-rcs.com Committer: pd peter.dunkley@crocodile-rcs.com Date: Sat Nov 19 22:44:21 2011 +0000
modules_k/xcap_server: xcaps_buf sometimes freed in w_xcaps_put()
- The buffer is alloc'd at module startup so should not be freed here. - When freed here the buffer memory can be alloc'd for other things and then future XCAP server operations will trample over it causing segmentation faults. - Fix by Hugh Waite @ Crocodile RCS.
---
modules_k/xcap_server/xcap_server.c | 16 +++++++--------- 1 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/modules_k/xcap_server/xcap_server.c b/modules_k/xcap_server/xcap_server.c index 33f5629..66dac1f 100644 --- a/modules_k/xcap_server/xcap_server.c +++ b/modules_k/xcap_server/xcap_server.c @@ -474,29 +474,25 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* ppath,
xm = (pv_elem_t*)pbody; body.len = xcaps_buf.len - 1; - body.s = xcaps_buf.s; - if(pv_printf(msg, xm, body.s, &body.len)<0) + if(pv_printf(msg, xm, xcaps_buf.s, &body.len)<0) { LM_ERR("unable to get body\n"); goto error; } - if(body.s==NULL || body.len <= 0) + if(body.len <= 0) { LM_ERR("invalid body parameter\n"); goto error; } - nbuf.s = (char*)pkg_malloc(body.len+1); - if(nbuf.s==NULL) + body.s = (char*)pkg_malloc(body.len+1); + if(body.s==NULL) { LM_ERR("no more pkg\n"); - body.s = NULL; goto error; }
- memcpy(nbuf.s, body.s, body.len); - body.s = nbuf.s; + memcpy(body.s, xcaps_buf.s, body.len); body.s[body.len] = '\0'; - nbuf.s = NULL;
if(parse_uri(uri.s, uri.len, &turi)!=0) { @@ -517,6 +513,8 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* ppath, { xcaps_send_reply(msg, 412, &xcaps_str_precon, &xcaps_str_empty, &xcaps_str_empty, &xcaps_str_empty); + + pkg_free(body.s); return -2; }
-
Peter Dunkley