Module: sip-router
Branch: master
Commit: e6c0c2f9871eab5a73371d48dfa24e4ece2512d8
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e6c0c2f…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: Thu Jun 12 12:12:02 2014 +0200
acc: clear new parsed headers when evaluating acc attributes
- the structures are in pkg, while request is taken from shm clone, can
cause reference to the space of another process
- reported by Igor Potjevlesch
---
modules/acc/acc_logic.c | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/modules/acc/acc_logic.c b/modules/acc/acc_logic.c
index 051209c..b6aa0ad 100644
--- a/modules/acc/acc_logic.c
+++ b/modules/acc/acc_logic.c
@@ -489,6 +489,7 @@ static inline void acc_onreply( struct cell* t, struct sip_msg *req,
{
str new_uri_bk;
int br = -1;
+ hdr_field_t *hdr;
/* acc_onreply is bound to TMCB_REPLY which may be called
from _reply, like when FR hits; we should not miss this
@@ -551,6 +552,19 @@ static inline void acc_onreply( struct cell* t, struct sip_msg *req,
req->new_uri = new_uri_bk;
req->parsed_uri_ok = 0;
}
+
+ /* free header's parsed structures that were added by resolving acc attributes */
+ for( hdr=req->headers ; hdr ; hdr=hdr->next ) {
+ if ( hdr->parsed && hdr_allocs_parse(hdr) &&
+ (hdr->parsed<(void*)t->uas.request ||
+ hdr->parsed>=(void*)t->uas.end_request)) {
+ /* header parsed filed doesn't point inside uas.request memory
+ * chunck -> it was added by resolving acc attributes -> free it as pkg */
+ DBG("removing hdr->parsed %d\n", hdr->type);
+ clean_hdr_field(hdr);
+ hdr->parsed = 0;
+ }
+ }
}