[sr-dev] git:5.1:096de8d0: rtpengine: fixed segfault when using read_sdp_pv

[Daniel-Constantin Mierla]

Module: kamailio
Branch: 5.1
Commit: 096de8d0979a71005e3f52146252365b53ab6197
URL: https://github.com/kamailio/kamailio/commit/096de8d0979a71005e3f52146252365b53ab6197

Author: Phil Lavin <phil.lavin at cloudcall.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2017-11-23T12:54:42+01:00

rtpengine: fixed segfault when using read_sdp_pv

- Obtain body pointer fresh from the SIP message as when using read_sdp_pv
  the body pointer is overwritten

---

Modified: src/modules/rtpengine/rtpengine.c

---

Diff:  https://github.com/kamailio/kamailio/commit/096de8d0979a71005e3f52146252365b53ab6197.diff
Patch: https://github.com/kamailio/kamailio/commit/096de8d0979a71005e3f52146252365b53ab6197.patch

---

diff --git a/src/modules/rtpengine/rtpengine.c b/src/modules/rtpengine/rtpengine.c
index e3468d04a8..9704693eee 100644
--- a/src/modules/rtpengine/rtpengine.c
+++ b/src/modules/rtpengine/rtpengine.c
@@ -3328,6 +3328,7 @@ rtpengine_offer_answer(struct sip_msg *msg, const char *flags, int op, int more)
 	str body, newbody;
 	struct lump *anchor;
 	pv_value_t pv_val;
+	str cur_body = {0, 0};
 
 	dict = rtpp_function_call_ok(&bencbuf, msg, op, flags, &body);
 	if (!dict)
@@ -3357,7 +3358,12 @@ rtpengine_offer_answer(struct sip_msg *msg, const char *flags, int op, int more)
 			pkg_free(newbody.s);
 
 		} else {
-			anchor = del_lump(msg, body.s - msg->buf, body.len, 0);
+			/* get the body from the message as body ptr may have changed */
+			cur_body.len = 0;
+			cur_body.s = get_body(msg);
+			cur_body.len = msg->buf + msg->len - cur_body.s;
+
+			anchor = del_lump(msg, cur_body.s - msg->buf, cur_body.len, 0);
 			if (!anchor) {
 				LM_ERR("del_lump failed\n");
 				goto error_free;