[sr-dev] git:master:b2ef89bc: Merge pull request #342 from doublec/janssonrpc_read_after_free

Daniel-Constantin Mierla miconda at gmail.com
Thu Sep 24 08:51:38 CEST 2015 

Module: kamailio
Branch: master
Commit: b2ef89bc55ae9b7bc816178e3c601289f6de3216
URL: https://github.com/kamailio/kamailio/commit/b2ef89bc55ae9b7bc816178e3c601289f6de3216

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2015-09-24T08:51:26+02:00

Merge pull request #342 from doublec/janssonrpc_read_after_free

janssonrpc-c: Fix use after free

---

Modified: modules/janssonrpc-c/janssonrpc_connect.c
Modified: modules/janssonrpc-c/janssonrpc_server.c

---

Diff:  https://github.com/kamailio/kamailio/commit/b2ef89bc55ae9b7bc816178e3c601289f6de3216.diff
Patch: https://github.com/kamailio/kamailio/commit/b2ef89bc55ae9b7bc816178e3c601289f6de3216.patch

---

diff --git a/modules/janssonrpc-c/janssonrpc_connect.c b/modules/janssonrpc-c/janssonrpc_connect.c
index bfe66c9..76378d3 100644
--- a/modules/janssonrpc-c/janssonrpc_connect.c
+++ b/modules/janssonrpc-c/janssonrpc_connect.c
@@ -88,9 +88,13 @@ void force_disconnect(jsonrpc_server_t* server)
 
 	/* clean out requests */
 	jsonrpc_request_t* req = NULL;
+	jsonrpc_request_t* next = NULL;
 	int key = 0;
 	for (key=0; key < JSONRPC_DEFAULT_HTABLE_SIZE; key++) {
-		for (req = request_table[key]; req != NULL; req = req->next) {
+		for (req = request_table[key]; req != NULL; req = next) {
+			/* fail_request frees req so need to store
+			   next_req before call */
+			next = req->next;
 			if(req->server != NULL && req->server == server) {
 				fail_request(JRPC_ERR_SERVER_DISCONNECT, req,
 						"Failing request for server shutdown");
@@ -128,9 +132,10 @@ void server_backoff_cb(int fd, short event, void *arg)
 
 	close(fd);
 	CHECK_AND_FREE_EV(a->ev);
-	pkg_free(arg);
 
 	wait_server_backoff(timeout, a->server, false);
+
+	pkg_free(arg);
 }
 
 void wait_server_backoff(unsigned int timeout /* seconds */,
diff --git a/modules/janssonrpc-c/janssonrpc_server.c b/modules/janssonrpc-c/janssonrpc_server.c
index 09286bc..8f1fb06 100644
--- a/modules/janssonrpc-c/janssonrpc_server.c
+++ b/modules/janssonrpc-c/janssonrpc_server.c
@@ -591,8 +591,10 @@ void free_server_list(server_list_t* list)
 		return;
 
 	server_list_t* node = NULL;
-	for(node=list; node!=NULL; node=node->next)
+	server_list_t* next = NULL;
+	for(node=list; node!=NULL; node=next)
 	{
+		next = node->next;
 		pkg_free(node);
 	}
 }

More information about the sr-dev mailing list