[sr-dev] git:master: modules_k/xcap_server: xcaps_buf sometimes freed in w_xcaps_put ()

Peter Dunkley peter.dunkley at crocodile-rcs.com
Sat Nov 19 23:46:28 CET 2011


Module: sip-router
Branch: master
Commit: 1a72ea1d450062e618eeab04655e7cbc742313f2
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=1a72ea1d450062e618eeab04655e7cbc742313f2

Author: pd <peter.dunkley at crocodile-rcs.com>
Committer: pd <peter.dunkley at crocodile-rcs.com>
Date:   Sat Nov 19 22:44:21 2011 +0000

modules_k/xcap_server: xcaps_buf sometimes freed in w_xcaps_put()

- The buffer is alloc'd at module startup so should not be freed here.
- When freed here the buffer memory can be alloc'd for other things and then
  future XCAP server operations will trample over it causing segmentation
  faults.
- Fix by Hugh Waite @ Crocodile RCS.

---

 modules_k/xcap_server/xcap_server.c |   16 +++++++---------
 1 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/modules_k/xcap_server/xcap_server.c b/modules_k/xcap_server/xcap_server.c
index 33f5629..66dac1f 100644
--- a/modules_k/xcap_server/xcap_server.c
+++ b/modules_k/xcap_server/xcap_server.c
@@ -474,29 +474,25 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* ppath,
 
 	xm = (pv_elem_t*)pbody;
 	body.len = xcaps_buf.len - 1;
-	body.s   = xcaps_buf.s;
-	if(pv_printf(msg, xm, body.s, &body.len)<0)
+	if(pv_printf(msg, xm, xcaps_buf.s, &body.len)<0)
 	{
 		LM_ERR("unable to get body\n");
 		goto error;
 	}
-	if(body.s==NULL || body.len <= 0)
+	if(body.len <= 0)
 	{
 		LM_ERR("invalid body parameter\n");
 		goto error;
 	}
-	nbuf.s = (char*)pkg_malloc(body.len+1);
-	if(nbuf.s==NULL)
+	body.s = (char*)pkg_malloc(body.len+1);
+	if(body.s==NULL)
 	{
 		LM_ERR("no more pkg\n");
-		body.s = NULL;
 		goto error;
 	}
 
-	memcpy(nbuf.s, body.s, body.len);
-	body.s = nbuf.s;
+	memcpy(body.s, xcaps_buf.s, body.len);
 	body.s[body.len] = '\0';
-	nbuf.s = NULL;
 
 	if(parse_uri(uri.s, uri.len, &turi)!=0)
 	{
@@ -517,6 +513,8 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* ppath,
 	{
 		xcaps_send_reply(msg, 412, &xcaps_str_precon, &xcaps_str_empty,
 				&xcaps_str_empty, &xcaps_str_empty);
+
+		pkg_free(body.s);
 		return -2;
 	}
 




More information about the sr-dev mailing list