[sr-dev] git:5.0:bae64449: rtpengine: fixed segfault when using read_sdp_pv

[Daniel-Constantin Mierla]

Module: kamailio
Branch: 5.0
Commit: bae644494e3ad1a1384def016a9343c073cfe1a6
URL: https://github.com/kamailio/kamailio/commit/bae644494e3ad1a1384def016a9343c073cfe1a6

Author: Phil Lavin <phil.lavin at cloudcall.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2017-11-23T12:55:00+01:00

rtpengine: fixed segfault when using read_sdp_pv

- Obtain body pointer fresh from the SIP message as when using read_sdp_pv
  the body pointer is overwritten

---

Modified: src/modules/rtpengine/rtpengine.c

---

Diff:  https://github.com/kamailio/kamailio/commit/bae644494e3ad1a1384def016a9343c073cfe1a6.diff
Patch: https://github.com/kamailio/kamailio/commit/bae644494e3ad1a1384def016a9343c073cfe1a6.patch

---

diff --git a/src/modules/rtpengine/rtpengine.c b/src/modules/rtpengine/rtpengine.c
index 82717f8e59..ee3b5f1671 100644
--- a/src/modules/rtpengine/rtpengine.c
+++ b/src/modules/rtpengine/rtpengine.c
@@ -2853,6 +2853,7 @@ rtpengine_offer_answer(struct sip_msg *msg, const char *flags, int op, int more)
 	str body, newbody;
 	struct lump *anchor;
 	pv_value_t pv_val;
+	str cur_body = {0, 0};
 
 	dict = rtpp_function_call_ok(&bencbuf, msg, op, flags, &body);
 	if (!dict)
@@ -2882,7 +2883,12 @@ rtpengine_offer_answer(struct sip_msg *msg, const char *flags, int op, int more)
 			pkg_free(newbody.s);
 
 		} else {
-			anchor = del_lump(msg, body.s - msg->buf, body.len, 0);
+			/* get the body from the message as body ptr may have changed */
+			cur_body.len = 0;
+			cur_body.s = get_body(msg);
+			cur_body.len = msg->buf + msg->len - cur_body.s;
+
+			anchor = del_lump(msg, cur_body.s - msg->buf, cur_body.len, 0);
 			if (!anchor) {
 				LM_ERR("del_lump failed\n");
 				goto error_free;