[sr-dev] git:sr_3.0: core: fix fixup_spve_* reuse after free
Andrei Pelinescu-Onciul
andrei at iptel.org
Thu Oct 15 18:08:10 CEST 2009
Module: sip-router
Branch: sr_3.0
Commit: c6e33a080b218ec87184b216144e527cb41754da
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c6e33a080b218ec87184b216144e527cb41754da
Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei at iptel.org>
Date: Thu Oct 15 17:58:05 2009 +0200
core: fix fixup_spve_* reuse after free
- fixup_spve_* functions have an optimization that checks if a
a parsed format is a simple string and if this happens it frees
the fixed param an re-does the fixup with type==string.
However when freeing the result of the first fixup the original
string was freed too and the next string fixup would be
called with freed memory instead of a valid string.
(this bug was hidden before the memleak fix in af8f3e1536d)
---
mod_fix.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/mod_fix.c b/mod_fix.c
index 90a4a4d..53b12ea 100644
--- a/mod_fix.c
+++ b/mod_fix.c
@@ -197,7 +197,6 @@ FIXUP_F2FP_T(igp_pvar_pvar, 1, 3, 1, FPARAM_INT|FPARAM_PVS, FPARAM_PVS)
int ret; \
char * bkp; \
fparam_t* fp; \
- bkp=*param; \
if (param_no<=(no1)){ \
if ((ret=fix_param_types(FPARAM_PVE, param))<0){ \
ERR("Cannot convert function parameter %d to" #type2 "\n", \
@@ -206,6 +205,8 @@ FIXUP_F2FP_T(igp_pvar_pvar, 1, 3, 1, FPARAM_INT|FPARAM_PVS, FPARAM_PVS)
} else{ \
fp=(fparam_t*)*param; \
if ((ret==0) && (fp->v.pve->spec.getf==0)){ \
+ bkp=fp->orig; \
+ fp->orig=0; /* make sure orig string is not freed */ \
fparam_free_contents(fp); \
pkg_free(fp); \
*param=bkp; \
More information about the sr-dev
mailing list