[sr-dev] git:3.1: dialog(k): reset the pointer value after free

[Daniel-Constantin Mierla]

Module: sip-router
Branch: 3.1
Commit: a4b121c5d654c8c4656506d20d9dc660dff50724
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=a4b121c5d654c8c4656506d20d9dc660dff50724

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Fri Oct 29 11:52:59 2010 +0200

dialog(k): reset the pointer value after free

- otherwise may result in double free, reported by Alex Balashov
(cherry picked from commit 4e196f47767dc8da8da560f57afc92add541b672)

---

 modules_k/dialog/dlg_hash.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules_k/dialog/dlg_hash.c b/modules_k/dialog/dlg_hash.c
index 3ec22a4..0c14f05 100644
--- a/modules_k/dialog/dlg_hash.c
+++ b/modules_k/dialog/dlg_hash.c
@@ -297,8 +297,16 @@ int dlg_set_leg_info(struct dlg_cell *dlg, str* tag, str *rr, str *contact,
 	dlg->cseq[leg].s = (char*)shm_malloc( cseq->len );
 	if ( dlg->tag[leg].s==NULL || dlg->cseq[leg].s==NULL) {
 		LM_ERR("no more shm mem\n");
-		if (dlg->tag[leg].s) shm_free(dlg->tag[leg].s);
-		if (dlg->cseq[leg].s) shm_free(dlg->cseq[leg].s);
+		if (dlg->tag[leg].s)
+		{
+			shm_free(dlg->tag[leg].s);
+			dlg->tag[leg].s = NULL;
+		}
+		if (dlg->cseq[leg].s)
+		{
+			shm_free(dlg->cseq[leg].s);
+			dlg->cseq[leg].s = NULL;
+		}
 		return -1;
 	}
 	p = dlg->tag[leg].s;