[sr-dev] [tracker] Task opened: ndb_redis redisc_free_reply bug

[sip-router]

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Vicente Hernando (vicente) 

Attached to Project - sip-router
Summary - ndb_redis redisc_free_reply bug
Task Type - Bug Report
Category - Module
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Critical
Priority - Normal
Reported Version - Development
Due in Version - Undecided
Due Date - Undecided
Details - Due to ndb_redis redisc_free_reply function I created in redis_client.c file, a bug has appeared able to crash kamailio.

In pv_get_redisc function in ndb_redis_mod.c these lines appear:

	if(rpv->reply==NULL)
	{
		rpv->reply = redisc_get_reply(&rpv->rname);
		if(rpv->reply==NULL)
			return pv_get_null(msg, param, res);
	}

That means it stores old redisc_reply_t in rpv->reply and if it has been freed with redisc_free_reply function a segmentation fault would happen.

I find three solutions:

patch one changes if(rpv->reply==NULL) into if(1). Disadvantage is it will always have to search the reply using redisc_get_reply adding some overhead.

patch two changes redisc_free_reply function and deletes only inner redisReply structure. So once a redisc_reply_t is created it could be reused, but never deleted.

Another solution would be completely deleting redisc_free_reply function.

In my opinion second and third approaches are the best.

Any comments?


More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=242

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.