Module: sip-router Branch: master Commit: bb3eed8aabea9f63c9922f71714aea242771db02 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=bb3eed8… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: Fri May 2 21:50:14 2014 +0200 dialog: copy dlg var value locally on get operation - reference to shared memory exposes risk on accessing an invalid pointer if anothe process updates it - reported by Dragos Oancea --- modules/dialog/dlg_var.c | 18 ++++++++++++++++-- 1 files changed, 16 insertions(+), 2 deletions(-) diff --git a/modules/dialog/dlg_var.c b/modules/dialog/dlg_var.c index 111dcd8..4b2ca89 100644 --- a/modules/dialog/dlg_var.c +++ b/modules/dialog/dlg_var.c @@ -284,6 +284,7 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) { dlg_cell_t *dlg; str * value; + str spv; if (param==NULL || param->pvn.type!=PV_NAME_INTSTR || param->pvn.u.isname.type!=AVP_NAME_STR @@ -306,6 +307,19 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) /* dcm: todo - the value should be cloned for safe usage */ value = get_dlg_variable_unsafe(dlg, &param->pvn.u.isname.name.s); + spv.s = NULL; + if(value) { + spv.len = pv_get_buffer_size(); + if(spv.len<value->len+1) { + LM_ERR("pv buffer too small (%d) - needed %d\n", spv.len, value->len); + } else { + spv.s = pv_get_buffer(); + strncpy(spv.s, value->s, value->len); + spv.len = value->len; + spv.s[spv.len] = '\0'; + } + } + print_lists(dlg); /* unlock dialog */ @@ -314,8 +328,8 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) dlg_release(dlg); } - if (value) - return pv_get_strval(msg, param, res, value); + if (spv.s) + return pv_get_strval(msg, param, res, &spv); return pv_get_null(msg, param, res);