[SR-Users] [sr-dev] TCP replace alias can cause core

[Andrei Pelinescu-Onciul]

On Oct 01, 2012 at 14:19, Jijo <realjijo at gmail.com> wrote:
> We found a problem regarding TCP connection alias in the following code at
> tcp_main.c:
> 
> 
[...]
> 
> As TCP_ALIAS_REPLACE flag is set for the default TCP options value, in the
> function _tcpconn_add_alias_unsafe() a TCP connection alias can be moved
> from connection A to connection B based on the TCP alias hash. In this
> case, the number of aliases is incremented in the connection A, and
> decremented from connection B. However, in the connection B the number of
> aliases can reach zero (no alias). And the code above can be executed for
> connection B setting the number of aliases to 1 unconditionally. When this
> case happens, the connection B keeps an invalid alias (already excluded
> from connection B by tcpconn_add_alias_unsafe() function called from
> connection A). When the connection A is released, the aliases are also
> released, and this memory area can be filled with different data. As
> connection B has references to an invalid alias it can try to access
> invalid areas, and can crash Kamailio. This access happens, for example,
> when another alias is added to connection B.
> 
> To fix it we include a check before the code:
> 
>                                                 if (c->aliases>0) {

Thanks a lot, I've commited the fix.
The only difference is that  I changed  if (c->aliases>0) into  if
(c->aliases > 1).

Andrei