git:master:a71bd9d9: cdp: fix use after free in transaction call backs - sr-dev

25 Jul 2024

Module: kamailio
Branch: master
Commit: a71bd9d9424456ef1167468c5bbbfd38b1099e89
URL: https://github.com/kamailio/kamailio/commit/a71bd9d9424456ef1167468c5bbbfd38...
Author: Rick Barenthin rick@ng-voice.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2024-07-25T12:20:59+02:00
cdp: fix use after free in transaction call backs
If the traction is set to auto drop,
the memory will be freed and with it the next pointer.
---
Modified: src/modules/cdp/transaction.c
---
Diff:  https://github.com/kamailio/kamailio/commit/a71bd9d9424456ef1167468c5bbbfd38...
Patch: https://github.com/kamailio/kamailio/commit/a71bd9d9424456ef1167468c5bbbfd38...
---

diff --git a/src/modules/cdp/transaction.c b/src/modules/cdp/transaction.c
index f1445ff15be..a2b97654dd0 100644
--- a/src/modules/cdp/transaction.c
+++ b/src/modules/cdp/transaction.c
@@ -256,10 +256,11 @@ int cdp_trans_timer(time_t now, void *ptr)
    /* do all queued callbacks */
    x = cb_queue->head;
    while(x) {
+		n = x->next;
    	(x->cb)(1, *(x->ptr), 0, (now - x->expires));
    	if(x->auto_drop)
    		cdp_free_trans(x);
-		x = x->next;
+		x = n;
    }
    pkg_free(cb_queue);

    