[sr-dev] git:master:a620bfec: mem: safety prev free checks for f_malloc extract operation

[Daniel-Constantin Mierla]

Module: kamailio
Branch: master
Commit: a620bfec37cdcdc5c5debcdfb5219b09464065fe
URL: https://github.com/kamailio/kamailio/commit/a620bfec37cdcdc5c5debcdfb5219b09464065fe

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2015-08-27T15:38:03+02:00

mem: safety prev free checks for f_malloc extract operation

- following a report by Alex Balashov

---

Modified: mem/f_malloc.c

---

Diff:  https://github.com/kamailio/kamailio/commit/a620bfec37cdcdc5c5debcdfb5219b09464065fe.diff
Patch: https://github.com/kamailio/kamailio/commit/a620bfec37cdcdc5c5debcdfb5219b09464065fe.patch

---

diff --git a/mem/f_malloc.c b/mem/f_malloc.c
index fa8cb49..a4def82 100644
--- a/mem/f_malloc.c
+++ b/mem/f_malloc.c
@@ -179,6 +179,29 @@ static inline void fm_extract_free(struct fm_block* qm, struct fm_frag* frag)
 	pf = frag->prv_free;
 	hash = GET_HASH(frag->size);
 
+	if(unlikely(pf==0)) {
+		/* try to discover previous fragment (safety review) */
+		LM_WARN("missing prev info for fragment %p from %p [%d]\n",
+					frag, qm, hash);
+		if(likely(qm->free_hash[hash].first)) {
+			if(likely(qm->free_hash[hash].first==frag)) {
+				pf = &(qm->free_hash[hash].first);
+			} else {
+				for(pf=&(qm->free_hash[hash].first); (*pf); pf=&((*pf)->u.nxt_free)) {
+					if((*pf)->u.nxt_free==frag) {
+						break;
+					}
+				}
+			}
+		}
+		if(unlikely(pf==0)) {
+			LM_ALERT("attemting to extract inexistent fragment %p from %p [%d]\n",
+					frag, qm, hash);
+			return;
+		}
+		frag->prv_free = pf;
+	}
+
 	*pf=frag->u.nxt_free;
 
 	if(frag->u.nxt_free) frag->u.nxt_free->prv_free = pf;