[sr-dev] git:admorten/sca DELETED: sca: fix potential leak of parsed To body
Andrew Mortensen
admorten at isc.upenn.edu
Wed Feb 6 15:32:26 CET 2013
Module: sip-router
Branch: admorten/sca DELETED
Commit: f4f776577d0011a1c87fdc59f130ca2ea26f1170
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f4f776577d0011a1c87fdc59f130ca2ea26f1170
Author: Andrew Mortensen <admorten at isc.upenn.edu>
Committer: Andrew Mortensen <admorten at isc.upenn.edu>
Date: Tue Nov 27 14:06:23 2012 -0500
sca: fix potential leak of parsed To body
- if msg->to wasn't parsed, sca_subscription_from_request called parse_to,
but never called free_to_params.
- make the subscription to-tag independent of the parsed to_body with a
pkg_malloc'd copy, freed in the caller.
---
modules/sca/sca_subscribe.c | 34 ++++++++++++++++++++++++++--------
1 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/modules/sca/sca_subscribe.c b/modules/sca/sca_subscribe.c
index aadcf56..06ebae9 100644
--- a/modules/sca/sca_subscribe.c
+++ b/modules/sca/sca_subscribe.c
@@ -893,11 +893,13 @@ sca_subscription_delete_subscriber_for_event( sca_mod *scam, str *subscriber,
return( 1 );
}
+/* caller must pkg_free req_sub->rr.s and req_sub->dialog.to_tag.s */
int
sca_subscription_from_request( sca_mod *scam, sip_msg_t *msg, int event_type,
sca_subscription *req_sub )
{
- struct to_body tmp_to, *to, *from;
+ struct to_body tmp_to = { 0 };
+ struct to_body *to, *from;
str contact_uri;
str to_tag = STR_NULL;
unsigned int expires = 0, max_expires;
@@ -905,6 +907,8 @@ sca_subscription_from_request( sca_mod *scam, sip_msg_t *msg, int event_type,
assert( req_sub != NULL );
+ memset( req_sub, 0, sizeof( sca_subscription ));
+
/* parse required info first */
if ( !SCA_HEADER_EMPTY( msg->expires )) {
if ( parse_expires( msg->expires ) < 0 ) {
@@ -1012,15 +1016,25 @@ sca_subscription_from_request( sca_mod *scam, sip_msg_t *msg, int event_type,
req_sub->dialog.id.len = 0;
req_sub->dialog.call_id = msg->callid->body;
req_sub->dialog.from_tag = from->tag_value;
- req_sub->dialog.to_tag = to_tag;
+
+ req_sub->dialog.to_tag.s = pkg_malloc( to_tag.len );
+ if ( req_sub->dialog.to_tag.s == NULL ) {
+ LM_ERR( "Failed to pkg_malloc space for to-tag %.*s",
+ STR_FMT( &to_tag ));
+ goto error;
+ }
+ SCA_STR_COPY( &req_sub->dialog.to_tag, &to_tag );
+
req_sub->dialog.subscribe_cseq = 0;
req_sub->dialog.notify_cseq = 0;
- //free_to_params( &tmp_to );
+ free_to_params( &tmp_to );
+
return( 1 );
error:
- //free_to_params( &tmp_to );
+ free_to_params( &tmp_to );
+
return( -1 );
}
@@ -1070,7 +1084,7 @@ sca_handle_subscribe( sip_msg_t *msg, char *p1, char *p2 )
if ( sca_subscription_copy_subscription_key( &req_sub, &sub_key ) < 0 ) {
SCA_REPLY_ERROR( sca, 500,
"Internal Server Error - copy dialog id", msg );
- return( -1 );
+ goto done;
}
sca_subscription_print( &req_sub );
@@ -1082,6 +1096,9 @@ sca_handle_subscribe( sip_msg_t *msg, char *p1, char *p2 )
/* ensure we only calculate the hash table index once */
idx = sca_hash_table_index_for_key( sca->subscriptions,
&sub_key );
+ /* pkg_malloc'd in sca_subscription_copy_subscription_key above */
+ pkg_free( sub_key.s );
+
sca_hash_table_lock_index( sca->subscriptions, idx );
sub = sca_hash_table_index_kv_find_unsafe( sca->subscriptions, idx,
@@ -1168,9 +1185,6 @@ sca_handle_subscribe( sip_msg_t *msg, char *p1, char *p2 )
}
}
- /* pkg_malloc'd in sca_subscription_copy_subscription_key() */
- pkg_free( sub_key.s );
-
status = sca_ok_status_for_event( event_type );
status_text = sca_ok_text_for_event( event_type );
if ( sca_reply( sca, status, status_text, event_type,
@@ -1207,6 +1221,10 @@ done:
sca_hash_table_unlock_index( sca->subscriptions, idx );
}
+ if ( req_sub.dialog.to_tag.s != NULL ) {
+ pkg_free( req_sub.dialog.to_tag.s );
+ }
+
return( rc );
}
More information about the sr-dev
mailing list