Module: kamailio Branch: master Commit: a71bd9d9424456ef1167468c5bbbfd38b1099e89 URL: https://github.com/kamailio/kamailio/commit/a71bd9d9424456ef1167468c5bbbfd3… Author: Rick Barenthin <rick(a)ng-voice.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2024-07-25T12:20:59+02:00 cdp: fix use after free in transaction call backs If the traction is set to auto drop, the memory will be freed and with it the next pointer. --- Modified: src/modules/cdp/transaction.c --- Diff: https://github.com/kamailio/kamailio/commit/a71bd9d9424456ef1167468c5bbbfd3… Patch: https://github.com/kamailio/kamailio/commit/a71bd9d9424456ef1167468c5bbbfd3… --- diff --git a/src/modules/cdp/transaction.c b/src/modules/cdp/transaction.c index f1445ff15be..a2b97654dd0 100644 --- a/src/modules/cdp/transaction.c +++ b/src/modules/cdp/transaction.c @@ -256,10 +256,11 @@ int cdp_trans_timer(time_t now, void *ptr) /* do all queued callbacks */ x = cb_queue->head; while(x) { + n = x->next; (x->cb)(1, *(x->ptr), 0, (now - x->expires)); if(x->auto_drop) cdp_free_trans(x); - x = x->next; + x = n; } pkg_free(cb_queue);