[sr-dev] git:master: modules_k/pua: Last fix (PUA memory leaks) caused crashes in hash-table mode

[Peter Dunkley]

Module: sip-router
Branch: master
Commit: d9af95bf84ad3ae9ed53ba15c7f518597cefcf3a
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d9af95bf84ad3ae9ed53ba15c7f518597cefcf3a

Author: pd <peter.dunkley at crocodile-rcs.com>
Committer: pd <peter.dunkley at crocodile-rcs.com>
Date:   Wed Jan 25 17:27:26 2012 +0000

modules_k/pua: Last fix (PUA memory leaks) caused crashes in hash-table mode

- Fix by Paul Pankhurst @ Crocodile RCS

---

 modules_k/pua/send_publish.c   |   13 ++++++++++---
 modules_k/pua/send_subscribe.c |   15 +++++++++++----
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/modules_k/pua/send_publish.c b/modules_k/pua/send_publish.c
index a43bae7..6205994 100644
--- a/modules_k/pua/send_publish.c
+++ b/modules_k/pua/send_publish.c
@@ -341,7 +341,7 @@ void publ_cback_func(struct cell *t, int type, struct tmcb_params *ps)
 	}
 	size= sizeof(ua_pres_t)+ sizeof(str)+ 
 		(hentity->pres_uri->len+ hentity->tuple_id.len + 
-		 hentity->id.len + etag.len)* sizeof(char);
+		 hentity->id.len)* sizeof(char);
 	if(hentity->extra_headers)
 		size+= sizeof(str)+ hentity->extra_headers->len* sizeof(char);
 
@@ -391,10 +391,14 @@ void publ_cback_func(struct cell *t, int type, struct tmcb_params *ps)
 	presentity->flag|= hentity->flag;
 	presentity->event|= hentity->event;
 
-	presentity->etag.s= (char*)presentity+ size;
+	presentity->etag.s= (char*)shm_malloc(etag.len* sizeof(char));
+	if(presentity->etag.s== NULL)
+	{
+		LM_ERR("No more share memory\n");
+		goto error;
+	}
 	memcpy(presentity->etag.s, etag.s, etag.len);
 	presentity->etag.len= etag.len;
-	size+= presentity->etag.len;
 
 	if (dbmode==PUA_DB_ONLY)
 	{
@@ -417,7 +421,10 @@ done:
 		*ps->param= NULL;
 	}
 	if(dbmode==PUA_DB_ONLY && presentity)
+	{
+		shm_free(presentity->etag.s);
 		shm_free(presentity);
+	}
 
 	free_results_puadb(res);
 	return;
diff --git a/modules_k/pua/send_subscribe.c b/modules_k/pua/send_subscribe.c
index eebb1a4..4269bd0 100644
--- a/modules_k/pua/send_subscribe.c
+++ b/modules_k/pua/send_subscribe.c
@@ -564,7 +564,7 @@ void subs_cback_func(struct cell *t, int cb_type, struct tmcb_params *ps)
 	size= sizeof(ua_pres_t)+ 2*sizeof(str)+( pto->uri.len+
 		pfrom->uri.len+ pto->tag_value.len+ pfrom->tag_value.len
 		+msg->callid->body.len+ record_route.len+ hentity->contact.len+
-		hentity->id.len + contact.len)*sizeof(char);
+		hentity->id.len )*sizeof(char);
 
 	if(hentity->extra_headers)
 		size+= sizeof(str)+ hentity->extra_headers->len*sizeof(char);
@@ -653,10 +653,13 @@ void subs_cback_func(struct cell *t, int cb_type, struct tmcb_params *ps)
 	}
 
 	/* write the remote contact filed */
-	presentity->remote_contact.s= (char*)presentity+ size;
+	presentity->remote_contact.s= (char*)shm_malloc(contact.len* sizeof(char));
+	if(presentity->remote_contact.s== NULL)
+	{
+		ERR_MEM(SHARE_MEM);
+	}
 	memcpy(presentity->remote_contact.s, contact.s, contact.len);
 	presentity->remote_contact.len= contact.len;
-	size+= presentity->remote_contact.len;
 
 	presentity->event|= hentity->event;
 	presentity->flag= hentity->flag;
@@ -693,7 +696,11 @@ error:
 		if (presentity!=NULL)
 		{
 			delete_temporary_dialog_puadb(presentity);
-			if (need_to_free) shm_free(presentity);
+			if (need_to_free)
+			{
+				if (presentity->remote_contact.s) shm_free(presentity->remote_contact.s);
+				shm_free(presentity);
+			}
 		}
 	}
 	else