[sr-dev] git:4.2:723f170b: rr: reset lump pointer to avoid using it after free for remove rr function

Daniel-Constantin Mierla miconda at gmail.com
Tue May 19 09:36:48 CEST 2015


Module: kamailio
Branch: 4.2
Commit: 723f170b882d98a6100ccfb931447d7630f57bde
URL: https://github.com/kamailio/kamailio/commit/723f170b882d98a6100ccfb931447d7630f57bde

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2015-05-19T09:35:06+02:00

rr: reset lump pointer to avoid using it after free for remove rr function

(cherry picked from commit f03c86ade6af9bc529a52f7fd50004721278ae19)

---

Modified: modules/rr/rr_mod.c

---

Diff:  https://github.com/kamailio/kamailio/commit/723f170b882d98a6100ccfb931447d7630f57bde.diff
Patch: https://github.com/kamailio/kamailio/commit/723f170b882d98a6100ccfb931447d7630f57bde.patch

---

diff --git a/modules/rr/rr_mod.c b/modules/rr/rr_mod.c
index 34aa0a6..c01de65 100644
--- a/modules/rr/rr_mod.c
+++ b/modules/rr/rr_mod.c
@@ -445,13 +445,11 @@ static void free_rr_lump(struct lump **list)
 				are in failure_route. -- No problem, only the
 				anchor is left in the list */
 				
-				LOG(L_DBG, "DEBUG: free_rr_lump: lump %p" \
-						" is left in the list\n",
+				LM_DBG("lump %p is left in the list\n",
 						lump);
 				
 				if (lump->len)
-				    LOG(L_CRIT, "BUG: free_rr_lump: lump %p" \
-						" can not be removed, but len=%d\n",
+				    LM_CRIT("lump %p can not be removed, but len=%d\n",
 						lump, lump->len);
 						
 				prev_lump=lump;
@@ -460,14 +458,16 @@ static void free_rr_lump(struct lump **list)
 				else *list = lump->next;
 				if (!(lump->flags&(LUMPFLAG_DUPED|LUMPFLAG_SHMEM)))
 					free_lump(lump);
-				if (!(lump->flags&LUMPFLAG_SHMEM))
+				if (!(lump->flags&LUMPFLAG_SHMEM)) {
 					pkg_free(lump);
+					lump = 0;
+				}
 			}
 		} else {
 			/* store previous position */
 			prev_lump=lump;
 		}
-		if (first_shmem && (lump->flags&LUMPFLAG_SHMEM))
+		if (first_shmem && lump && (lump->flags&LUMPFLAG_SHMEM))
 			first_shmem=0;
 	}
 }




More information about the sr-dev mailing list