[sr-dev] git:master: ims_registrar_scscf: Fix memory corruption in build_contacts, in case no contacts available

Carsten Bock carsten at ng-voice.com
Mon Jan 13 12:05:48 CET 2014


Module: sip-router
Branch: master
Commit: 99ed4d76ceb77b451e99f969513575e655738e81
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=99ed4d76ceb77b451e99f969513575e655738e81

Author: Carsten Bock <carsten at ng-voice.com>
Committer: Carsten Bock <carsten at ng-voice.com>
Date:   Mon Jan 13 12:04:13 2014 +0100

ims_registrar_scscf: Fix memory corruption in build_contacts, in case no contacts available

---

 modules/ims_registrar_scscf/reply.c |   95 ++++++++++++++++++----------------
 1 files changed, 50 insertions(+), 45 deletions(-)

diff --git a/modules/ims_registrar_scscf/reply.c b/modules/ims_registrar_scscf/reply.c
index 64b31c3..cfefd5c 100644
--- a/modules/ims_registrar_scscf/reply.c
+++ b/modules/ims_registrar_scscf/reply.c
@@ -412,61 +412,66 @@ int build_contact(ucontact_t* c, contact_for_header_t** contact_header) {
     tmp_contact_header->data_len = calc_buf_len(c);
     tmp_contact_header->buf = (char*)shm_malloc(tmp_contact_header->data_len);
 
-    p = tmp_contact_header->buf;
+    if (tmp_contact_header->data_len) {
+        p = tmp_contact_header->buf;
 
-    memcpy(p, CONTACT_BEGIN, CONTACT_BEGIN_LEN);
-    p += CONTACT_BEGIN_LEN;
+        memcpy(p, CONTACT_BEGIN, CONTACT_BEGIN_LEN);
+        p += CONTACT_BEGIN_LEN;
 
-    fl = 0;
-    while (c) {
-        if (VALID_CONTACT(c, act_time)) {
-            if (fl) {
-                memcpy(p, CONTACT_SEP, CONTACT_SEP_LEN);
-                p += CONTACT_SEP_LEN;
-            } else {
-                fl = 1;
-            }
+        fl = 0;
+        while (c) {
+            if (VALID_CONTACT(c, act_time)) {
+                if (fl) {
+                    memcpy(p, CONTACT_SEP, CONTACT_SEP_LEN);
+                    p += CONTACT_SEP_LEN;
+                } else {
+                    fl = 1;
+                }
 
-            *p++ = '<';
-            memcpy(p, c->c.s, c->c.len);
-            p += c->c.len;
-            *p++ = '>';
+                *p++ = '<';
+                memcpy(p, c->c.s, c->c.len);
+                p += c->c.len;
+                *p++ = '>';
+
+                len = len_q(c->q);
+                if (len) {
+                    memcpy(p, Q_PARAM, Q_PARAM_LEN);
+                    p += Q_PARAM_LEN;
+                    memcpy(p, q2str(c->q, 0), len);
+                    p += len;
+                }
 
-            len = len_q(c->q);
-            if (len) {
-                memcpy(p, Q_PARAM, Q_PARAM_LEN);
-                p += Q_PARAM_LEN;
-                memcpy(p, q2str(c->q, 0), len);
+                memcpy(p, EXPIRES_PARAM, EXPIRES_PARAM_LEN);
+                p += EXPIRES_PARAM_LEN;
+                cp = int2str((int) (c->expires - act_time), &len);
+                memcpy(p, cp, len);
                 p += len;
+    
+                if (c->received.s) {
+                    *p++ = ';';
+                    memcpy(p, rcv_param.s, rcv_param.len);
+                    p += rcv_param.len;
+                    *p++ = '=';
+                    *p++ = '\"';
+                    memcpy(p, c->received.s, c->received.len);
+                    p += c->received.len;
+                    *p++ = '\"';
+                }
             }
 
-            memcpy(p, EXPIRES_PARAM, EXPIRES_PARAM_LEN);
-            p += EXPIRES_PARAM_LEN;
-            cp = int2str((int) (c->expires - act_time), &len);
-            memcpy(p, cp, len);
-            p += len;
-
-            if (c->received.s) {
-                *p++ = ';';
-                memcpy(p, rcv_param.s, rcv_param.len);
-                p += rcv_param.len;
-                *p++ = '=';
-                *p++ = '\"';
-                memcpy(p, c->received.s, c->received.len);
-                p += c->received.len;
-                *p++ = '\"';
-            }
+            c = c->next;
         }
 
-        c = c->next;
-    }
+        memcpy(p, CRLF, CRLF_LEN);
+        p += CRLF_LEN;
 
-    memcpy(p, CRLF, CRLF_LEN);
-    p += CRLF_LEN;
+        tmp_contact_header->data_len = p - tmp_contact_header->buf;
+
+        LM_DBG("created Contact HF: %.*s\n", tmp_contact_header->data_len, tmp_contact_header->buf);
+    } else 
+        LM_DBG("No Contact HF created, no contacts.\n");
 
-    tmp_contact_header->data_len = p - tmp_contact_header->buf;
 
-    LM_DBG("created Contact HF: %.*s\n", tmp_contact_header->data_len, tmp_contact_header->buf);
     *contact_header = tmp_contact_header;
     return 0;
 }




More information about the sr-dev mailing list