git:master:d7e42cee: modules/ims_registrar_scscf: fixed segfault on multiple impu when building notify - sr-dev

12 Feb 2016

Module: kamailio
Branch: master
Commit: d7e42ceef76e66b06d97159e71043fd552a29e8c
URL: https://github.com/kamailio/kamailio/commit/d7e42ceef76e66b06d97159e71043fd5...
Author: jaybeepee jason.penton@gmail.com
Committer: jaybeepee jason.penton@gmail.com
Date: 2016-02-12T20:48:14+02:00
modules/ims_registrar_scscf: fixed segfault on multiple impu when building notify
    - also reported and fixed by Dragos Oancea
---
Modified: modules/ims_registrar_scscf/registrar_notify.c
---
Diff:  https://github.com/kamailio/kamailio/commit/d7e42ceef76e66b06d97159e71043fd5...
Patch: https://github.com/kamailio/kamailio/commit/d7e42ceef76e66b06d97159e71043fd5...
---

diff --git a/modules/ims_registrar_scscf/registrar_notify.c b/modules/ims_registrar_scscf/registrar_notify.c
index df1f0b1..70eb978 100644
--- a/modules/ims_registrar_scscf/registrar_notify.c
+++ b/modules/ims_registrar_scscf/registrar_notify.c
@@ -2006,9 +2006,9 @@ reg_notification * new_notification(str subscription_state,
     char *p;
len = sizeof (reg_notification) + r->call_id.len + r->from_tag.len + r->to_tag.len + r->watcher_uri.len + r->watcher_contact.len +
-            r->record_route.len + r->sockinfo_str.len + r->presentity_uri.len + subscription_state.len + content_type.len + (num_impus*sizeof(str)); // + buf.len;
+            r->record_route.len + r->sockinfo_str.len + r->presentity_uri.len + subscription_state.len + content_type.len + (num_impus)*sizeof(str); // + buf.len;
     for (i=0; i<num_impus; i++) {
-        len += impus[i]->len;
+        len += (*impus)[i].len;
     }
LM_DBG("Creating new notification");
@@ -2084,13 +2084,13 @@ reg_notification * new_notification(str subscription_state,
     p += content_type.len;
     LM_DBG("Notification content type: [%.*s]", n->content_type.len, n->content_type.s);
-    n->impus = p;
+    n->impus = (str*)p;
     p += sizeof(str)*num_impus;
     for (i=0; i<num_impus; i++) {
         n->impus[i].s = p;
-        memcpy(p, impus[i]->s, impus[i]->len);
-        n->impus[i].len = impus[i]->len;
-        p += impus[i]->len;
+        memcpy(p, (*impus)[i].s, (*impus)[i].len);
+        n->impus[i].len = (*impus)[i].len;
+        p += (*impus)[i].len;
     }
     n->num_impus = num_impus;

    