Module: sip-router Branch: master Commit: 1a72ea1d450062e618eeab04655e7cbc742313f2 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=1a72ea1d...
Author: pd peter.dunkley@crocodile-rcs.com Committer: pd peter.dunkley@crocodile-rcs.com Date: Sat Nov 19 22:44:21 2011 +0000
modules_k/xcap_server: xcaps_buf sometimes freed in w_xcaps_put()
- The buffer is alloc'd at module startup so should not be freed here. - When freed here the buffer memory can be alloc'd for other things and then future XCAP server operations will trample over it causing segmentation faults. - Fix by Hugh Waite @ Crocodile RCS.
---
modules_k/xcap_server/xcap_server.c | 16 +++++++--------- 1 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/modules_k/xcap_server/xcap_server.c b/modules_k/xcap_server/xcap_server.c index 33f5629..66dac1f 100644 --- a/modules_k/xcap_server/xcap_server.c +++ b/modules_k/xcap_server/xcap_server.c @@ -474,29 +474,25 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* ppath,
xm = (pv_elem_t*)pbody; body.len = xcaps_buf.len - 1; - body.s = xcaps_buf.s; - if(pv_printf(msg, xm, body.s, &body.len)<0) + if(pv_printf(msg, xm, xcaps_buf.s, &body.len)<0) { LM_ERR("unable to get body\n"); goto error; } - if(body.s==NULL || body.len <= 0) + if(body.len <= 0) { LM_ERR("invalid body parameter\n"); goto error; } - nbuf.s = (char*)pkg_malloc(body.len+1); - if(nbuf.s==NULL) + body.s = (char*)pkg_malloc(body.len+1); + if(body.s==NULL) { LM_ERR("no more pkg\n"); - body.s = NULL; goto error; }
- memcpy(nbuf.s, body.s, body.len); - body.s = nbuf.s; + memcpy(body.s, xcaps_buf.s, body.len); body.s[body.len] = '\0'; - nbuf.s = NULL;
if(parse_uri(uri.s, uri.len, &turi)!=0) { @@ -517,6 +513,8 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* ppath, { xcaps_send_reply(msg, 412, &xcaps_str_precon, &xcaps_str_empty, &xcaps_str_empty, &xcaps_str_empty); + + pkg_free(body.s); return -2; }
Peter Dunkley writes:
- The buffer is alloc'd at module startup so should not be freed here.
- When freed here the buffer memory can be alloc'd for other things and then future XCAP server operations will trample over it causing segmentation faults.
peter, hugh,
thanks for the fix. could you also backport it to 3.2?
-- juha
I'll look into it if I have time next week. It should be fairly straight forward as I don't think there are any other changes to XCAP Server between 3.2 and the master branch.
Just need to work out the right git command...
Peter
On Sun, 2011-11-20 at 06:40 +0200, Juha Heinanen wrote:
Peter Dunkley writes:
- The buffer is alloc'd at module startup so should not be freed here.
- When freed here the buffer memory can be alloc'd for other things and then future XCAP server operations will trample over it causing segmentation faults.
peter, hugh,
thanks for the fix. could you also backport it to 3.2?
-- juha
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Done. Commit: d50bf0933db8925d75da09de0036d559c9b34b64
On Sun, 2011-11-20 at 06:40 +0200, Juha Heinanen wrote:
Peter Dunkley writes:
- The buffer is alloc'd at module startup so should not be freed here.
- When freed here the buffer memory can be alloc'd for other things and then future XCAP server operations will trample over it causing segmentation faults.
peter, hugh,
thanks for the fix. could you also backport it to 3.2?
-- juha
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-
Juha Heinanen -
Peter Dunkley