[sr-dev] git:3.1: tm: fix possible uninit. use of cancel_reason

Daniel-Constantin Mierla miconda at gmail.com
Sun Oct 24 20:52:16 CEST 2010 

Module: sip-router
Branch: 3.1
Commit: 292bab78715749066db5693b22b490fcbcfa4e4a
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=292bab78715749066db5693b22b490fcbcfa4e4a

Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Wed Oct 20 18:38:11 2010 +0200

tm: fix possible uninit. use of cancel_reason

In some cases  an uninitialized cancel_reason structure was used
(e.g. fake_reply() and relay_reply() failing).

Reported-by: Alex Balashov  abalashov evaristesys com
(cherry picked from commit 7faa58b0264cb77c991a21bd3b7e3d660596ad85)

---

 modules/tm/t_cancel.c |    1 +
 modules/tm/t_reply.c  |   11 +++++++++++
 modules/tm/timer.c    |    1 +
 3 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/modules/tm/t_cancel.c b/modules/tm/t_cancel.c
index 277c415..c1b52be 100644
--- a/modules/tm/t_cancel.c
+++ b/modules/tm/t_cancel.c
@@ -225,6 +225,7 @@ int cancel_branch( struct cell *t, int branch,
 	irb=&t->uac[branch].request;
 	irb->flags|=F_RB_CANCELED;
 	ret=1;
+	init_cancel_info(&tmp_cd);
 
 #	ifdef EXTRA_DEBUG
 	if (crb->buffer!=BUSY_BUFFER) {
diff --git a/modules/tm/t_reply.c b/modules/tm/t_reply.c
index fcf214d..382244f 100644
--- a/modules/tm/t_reply.c
+++ b/modules/tm/t_reply.c
@@ -1096,8 +1096,11 @@ static unsigned char drop_replies;
  * Checks if the new reply (with new_code status) should be sent or not
  *  based on the current
  * transaction status.
+ *
+ * @param cancel_data - initialized cancel_info structure.
  * Returns 	- branch number (0,1,...) which should be relayed
  *         -1 if nothing to be relayed
+ * WARNING: cancel_data should be initialized prior to calling this function.
  */
 static enum rps t_should_relay_response( struct cell *Trans , int new_code,
 	int branch , int *should_store, int *should_relay,
@@ -1576,6 +1579,10 @@ skip:
    REPLY_LOCK and it returns unlocked!
    If do_put_on_wait==1 and this is the final reply, the transaction
    wait timer will be started (put_on_wait(t)).
+ *
+ * @param cancel_data - initialized cancel_info structure.
+ *
+ * WARNING: cancel_data should be initialized prior to calling this function.
 */
 enum rps relay_reply( struct cell *t, struct sip_msg *p_msg, int branch,
 	unsigned int msg_status, struct cancel_info *cancel_data,
@@ -1851,6 +1858,10 @@ error01:
 /* this is the "UAC" above transaction layer; if a final reply
    is received, it triggers a callback; note well -- it assumes
    it is entered locked with REPLY_LOCK and it returns unlocked!
+ *
+ * @param cancel_data - initialized cancel_info structure.
+ *
+ * WARNING: cancel_data should be initialized prior to calling this function.
 */
 enum rps local_reply( struct cell *t, struct sip_msg *p_msg, int branch,
 	unsigned int msg_status, struct cancel_info *cancel_data)
diff --git a/modules/tm/timer.c b/modules/tm/timer.c
index a961675..a31a59c 100644
--- a/modules/tm/timer.c
+++ b/modules/tm/timer.c
@@ -303,6 +303,7 @@ static void fake_reply(struct cell *t, int branch, int code )
 	short do_cancel_branch;
 	enum rps reply_status;
 
+	init_cancel_info(&cancel_data);
 	do_cancel_branch = is_invite(t) && prepare_cancel_branch(t, branch, 0);
 	/* mark branch as canceled */
 	t->uac[branch].request.flags|=F_RB_CANCELED;

More information about the sr-dev mailing list