[sr-dev] git:master: ims_registrar_scscf: Fix memory corruption in build_contacts, in case no contacts available
Carsten Bock
carsten at ng-voice.com
Mon Jan 13 12:05:48 CET 2014
Module: sip-router
Branch: master
Commit: 99ed4d76ceb77b451e99f969513575e655738e81
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=99ed4d76ceb77b451e99f969513575e655738e81
Author: Carsten Bock <carsten at ng-voice.com>
Committer: Carsten Bock <carsten at ng-voice.com>
Date: Mon Jan 13 12:04:13 2014 +0100
ims_registrar_scscf: Fix memory corruption in build_contacts, in case no contacts available
---
modules/ims_registrar_scscf/reply.c | 95 ++++++++++++++++++----------------
1 files changed, 50 insertions(+), 45 deletions(-)
diff --git a/modules/ims_registrar_scscf/reply.c b/modules/ims_registrar_scscf/reply.c
index 64b31c3..cfefd5c 100644
--- a/modules/ims_registrar_scscf/reply.c
+++ b/modules/ims_registrar_scscf/reply.c
@@ -412,61 +412,66 @@ int build_contact(ucontact_t* c, contact_for_header_t** contact_header) {
tmp_contact_header->data_len = calc_buf_len(c);
tmp_contact_header->buf = (char*)shm_malloc(tmp_contact_header->data_len);
- p = tmp_contact_header->buf;
+ if (tmp_contact_header->data_len) {
+ p = tmp_contact_header->buf;
- memcpy(p, CONTACT_BEGIN, CONTACT_BEGIN_LEN);
- p += CONTACT_BEGIN_LEN;
+ memcpy(p, CONTACT_BEGIN, CONTACT_BEGIN_LEN);
+ p += CONTACT_BEGIN_LEN;
- fl = 0;
- while (c) {
- if (VALID_CONTACT(c, act_time)) {
- if (fl) {
- memcpy(p, CONTACT_SEP, CONTACT_SEP_LEN);
- p += CONTACT_SEP_LEN;
- } else {
- fl = 1;
- }
+ fl = 0;
+ while (c) {
+ if (VALID_CONTACT(c, act_time)) {
+ if (fl) {
+ memcpy(p, CONTACT_SEP, CONTACT_SEP_LEN);
+ p += CONTACT_SEP_LEN;
+ } else {
+ fl = 1;
+ }
- *p++ = '<';
- memcpy(p, c->c.s, c->c.len);
- p += c->c.len;
- *p++ = '>';
+ *p++ = '<';
+ memcpy(p, c->c.s, c->c.len);
+ p += c->c.len;
+ *p++ = '>';
+
+ len = len_q(c->q);
+ if (len) {
+ memcpy(p, Q_PARAM, Q_PARAM_LEN);
+ p += Q_PARAM_LEN;
+ memcpy(p, q2str(c->q, 0), len);
+ p += len;
+ }
- len = len_q(c->q);
- if (len) {
- memcpy(p, Q_PARAM, Q_PARAM_LEN);
- p += Q_PARAM_LEN;
- memcpy(p, q2str(c->q, 0), len);
+ memcpy(p, EXPIRES_PARAM, EXPIRES_PARAM_LEN);
+ p += EXPIRES_PARAM_LEN;
+ cp = int2str((int) (c->expires - act_time), &len);
+ memcpy(p, cp, len);
p += len;
+
+ if (c->received.s) {
+ *p++ = ';';
+ memcpy(p, rcv_param.s, rcv_param.len);
+ p += rcv_param.len;
+ *p++ = '=';
+ *p++ = '\"';
+ memcpy(p, c->received.s, c->received.len);
+ p += c->received.len;
+ *p++ = '\"';
+ }
}
- memcpy(p, EXPIRES_PARAM, EXPIRES_PARAM_LEN);
- p += EXPIRES_PARAM_LEN;
- cp = int2str((int) (c->expires - act_time), &len);
- memcpy(p, cp, len);
- p += len;
-
- if (c->received.s) {
- *p++ = ';';
- memcpy(p, rcv_param.s, rcv_param.len);
- p += rcv_param.len;
- *p++ = '=';
- *p++ = '\"';
- memcpy(p, c->received.s, c->received.len);
- p += c->received.len;
- *p++ = '\"';
- }
+ c = c->next;
}
- c = c->next;
- }
+ memcpy(p, CRLF, CRLF_LEN);
+ p += CRLF_LEN;
- memcpy(p, CRLF, CRLF_LEN);
- p += CRLF_LEN;
+ tmp_contact_header->data_len = p - tmp_contact_header->buf;
+
+ LM_DBG("created Contact HF: %.*s\n", tmp_contact_header->data_len, tmp_contact_header->buf);
+ } else
+ LM_DBG("No Contact HF created, no contacts.\n");
- tmp_contact_header->data_len = p - tmp_contact_header->buf;
- LM_DBG("created Contact HF: %.*s\n", tmp_contact_header->data_len, tmp_contact_header->buf);
*contact_header = tmp_contact_header;
return 0;
}
More information about the sr-dev
mailing list