[sr-dev] git:4.1:59f3fa67: sqlops: fix use-after-free by deep copying result name

Module: kamailio Branch: 4.1 Commit: 59f3fa679d35d64db42037ef862bb8a1c4c12cb7 URL: https://github.com/kamailio/kamailio/commit/59f3fa679d35d64db42037ef862bb8a… Author: Timo Teräs <timo.teras(a)iki.fi> Committer: Timo Teräs <timo.teras(a)iki.fi> Date: 2015-04-16T12:55:10+03:00 sqlops: fix use-after-free by deep copying result name When creating a new result handle, deep copy the result name. Otherwise we might end up accessing the name after it's freed. (cherry picked from commit 6e2604464e64cfaaf1e0327228f53f4787b69470) --- Modified: modules/sqlops/sql_api.c --- Diff: https://github.com/kamailio/kamailio/commit/59f3fa679d35d64db42037ef862bb8a… Patch: https://github.com/kamailio/kamailio/commit/59f3fa679d35d64db42037ef862bb8a… --- diff --git a/modules/sqlops/sql_api.c b/modules/sqlops/sql_api.c index 2781069..25c25f7 100644 --- a/modules/sqlops/sql_api.c +++ b/modules/sqlops/sql_api.c @@ -199,14 +199,16 @@ sql_result_t* sql_get_result(str *name) return sr; sr = sr->next; } - sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t)); + sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t) + name->len); if(sr==NULL) { LM_ERR("no pkg memory\n"); return NULL; } memset(sr, 0, sizeof(sql_result_t)); - sr->name = *name; + memcpy(sr+1, name->s, name->len); + sr->name.s = (char *)(sr + 1); + sr->name.len = name->len; sr->resid = resid; sr->next = _sql_result_root; _sql_result_root = sr; @@ -665,6 +667,7 @@ void sql_destroy(void) pkg_free(r); r = r0; } + _sql_result_root = NULL; } /**