On Oct 01, 2012 at 14:19, Jijo realjijo@gmail.com wrote:
We found a problem regarding TCP connection alias in the following code at tcp_main.c:
[...]
As TCP_ALIAS_REPLACE flag is set for the default TCP options value, in the function _tcpconn_add_alias_unsafe() a TCP connection alias can be moved from connection A to connection B based on the TCP alias hash. In this case, the number of aliases is incremented in the connection A, and decremented from connection B. However, in the connection B the number of aliases can reach zero (no alias). And the code above can be executed for connection B setting the number of aliases to 1 unconditionally. When this case happens, the connection B keeps an invalid alias (already excluded from connection B by tcpconn_add_alias_unsafe() function called from connection A). When the connection A is released, the aliases are also released, and this memory area can be filled with different data. As connection B has references to an invalid alias it can try to access invalid areas, and can crash Kamailio. This access happens, for example, when another alias is added to connection B.
To fix it we include a check before the code:
if (c->aliases>0) {
Thanks a lot, I've commited the fix. The only difference is that I changed if (c->aliases>0) into if (c->aliases > 1).
Andrei