Module: sip-router Branch: 4.1 Commit: fc0bad2c005048d73926cbf8637cd8ba10287bd8 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=fc0bad2c...
Author: Carsten Bock carsten@ng-voice.com Committer: Carsten Bock carsten@ng-voice.com Date: Mon Jan 13 12:04:13 2014 +0100
ims_registrar_scscf: Fix memory corruption in build_contacts, in case no contacts available
---
modules/ims_registrar_scscf/reply.c | 95 ++++++++++++++++++---------------- 1 files changed, 50 insertions(+), 45 deletions(-)
diff --git a/modules/ims_registrar_scscf/reply.c b/modules/ims_registrar_scscf/reply.c index 64b31c3..cfefd5c 100644 --- a/modules/ims_registrar_scscf/reply.c +++ b/modules/ims_registrar_scscf/reply.c @@ -412,61 +412,66 @@ int build_contact(ucontact_t* c, contact_for_header_t** contact_header) { tmp_contact_header->data_len = calc_buf_len(c); tmp_contact_header->buf = (char*)shm_malloc(tmp_contact_header->data_len);
- p = tmp_contact_header->buf; + if (tmp_contact_header->data_len) { + p = tmp_contact_header->buf;
- memcpy(p, CONTACT_BEGIN, CONTACT_BEGIN_LEN); - p += CONTACT_BEGIN_LEN; + memcpy(p, CONTACT_BEGIN, CONTACT_BEGIN_LEN); + p += CONTACT_BEGIN_LEN;
- fl = 0; - while (c) { - if (VALID_CONTACT(c, act_time)) { - if (fl) { - memcpy(p, CONTACT_SEP, CONTACT_SEP_LEN); - p += CONTACT_SEP_LEN; - } else { - fl = 1; - } + fl = 0; + while (c) { + if (VALID_CONTACT(c, act_time)) { + if (fl) { + memcpy(p, CONTACT_SEP, CONTACT_SEP_LEN); + p += CONTACT_SEP_LEN; + } else { + fl = 1; + }
- *p++ = '<'; - memcpy(p, c->c.s, c->c.len); - p += c->c.len; - *p++ = '>'; + *p++ = '<'; + memcpy(p, c->c.s, c->c.len); + p += c->c.len; + *p++ = '>'; + + len = len_q(c->q); + if (len) { + memcpy(p, Q_PARAM, Q_PARAM_LEN); + p += Q_PARAM_LEN; + memcpy(p, q2str(c->q, 0), len); + p += len; + }
- len = len_q(c->q); - if (len) { - memcpy(p, Q_PARAM, Q_PARAM_LEN); - p += Q_PARAM_LEN; - memcpy(p, q2str(c->q, 0), len); + memcpy(p, EXPIRES_PARAM, EXPIRES_PARAM_LEN); + p += EXPIRES_PARAM_LEN; + cp = int2str((int) (c->expires - act_time), &len); + memcpy(p, cp, len); p += len; + + if (c->received.s) { + *p++ = ';'; + memcpy(p, rcv_param.s, rcv_param.len); + p += rcv_param.len; + *p++ = '='; + *p++ = '"'; + memcpy(p, c->received.s, c->received.len); + p += c->received.len; + *p++ = '"'; + } }
- memcpy(p, EXPIRES_PARAM, EXPIRES_PARAM_LEN); - p += EXPIRES_PARAM_LEN; - cp = int2str((int) (c->expires - act_time), &len); - memcpy(p, cp, len); - p += len; - - if (c->received.s) { - *p++ = ';'; - memcpy(p, rcv_param.s, rcv_param.len); - p += rcv_param.len; - *p++ = '='; - *p++ = '"'; - memcpy(p, c->received.s, c->received.len); - p += c->received.len; - *p++ = '"'; - } + c = c->next; }
- c = c->next; - } + memcpy(p, CRLF, CRLF_LEN); + p += CRLF_LEN;
- memcpy(p, CRLF, CRLF_LEN); - p += CRLF_LEN; + tmp_contact_header->data_len = p - tmp_contact_header->buf; + + LM_DBG("created Contact HF: %.*s\n", tmp_contact_header->data_len, tmp_contact_header->buf); + } else + LM_DBG("No Contact HF created, no contacts.\n");
- tmp_contact_header->data_len = p - tmp_contact_header->buf;
- LM_DBG("created Contact HF: %.*s\n", tmp_contact_header->data_len, tmp_contact_header->buf); *contact_header = tmp_contact_header; return 0; }