[sr-dev] git:master:26ab0fcc: uac: do not free chunks already inserted as lumps

Module: kamailio Branch: master Commit: 26ab0fcc97cbf0d6602454e60187a914f13424a2 URL: https://github.com/kamailio/kamailio/commit/26ab0fcc97cbf0d6602454e60187a91… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2021-04-06T12:17:35+02:00 uac: do not free chunks already inserted as lumps - in case of errors happening later, the pointers are linked in sip_msg_t and will be freed there, otherwise will result in a double free --- Modified: src/modules/uac/replace.c --- Diff: https://github.com/kamailio/kamailio/commit/26ab0fcc97cbf0d6602454e60187a91… Patch: https://github.com/kamailio/kamailio/commit/26ab0fcc97cbf0d6602454e60187a91… --- diff --git a/src/modules/uac/replace.c b/src/modules/uac/replace.c index 3a476a3d82..6e77eafe94 100644 --- a/src/modules/uac/replace.c +++ b/src/modules/uac/replace.c @@ -875,7 +875,7 @@ static void replace_callback(struct dlg_cell *dlg, int type, str old_uri; str* new_uri; str* new_display; - str buf; + str buf = STR_NULL; char *p; unsigned int uac_flag; int dlgvar_index = 0; @@ -968,11 +968,13 @@ static void replace_callback(struct dlg_cell *dlg, int type, buf.len = new_display->len; if (l==0 && (l=get_display_anchor(msg, hdr, body, &buf)) == 0) { LM_ERR("failed to insert anchor\n"); - goto free1; + pkg_free(buf.s); + return; } if (insert_new_lump_after(l, buf.s, buf.len, 0) == 0) { LM_ERR("insert new display lump failed\n"); - goto free1; + pkg_free(buf.s); + return; } } @@ -980,20 +982,22 @@ static void replace_callback(struct dlg_cell *dlg, int type, p = pkg_malloc( new_uri->len); if (!p) { PKG_MEM_ERROR; - goto free1; + return; } - memcpy( p, new_uri->s, new_uri->len); + memcpy(p, new_uri->s, new_uri->len); /* build del/add lumps */ - l = del_lump( msg, old_uri.s-msg->buf, old_uri.len, 0); + l = del_lump(msg, old_uri.s-msg->buf, old_uri.len, 0); if (l==0) { LM_ERR("del lump failed\n"); - goto free2; + pkg_free(p); + return; } if (insert_new_lump_after( l, p, new_uri->len, 0)==0) { LM_ERR("insert new lump failed\n"); - goto free2; + pkg_free(p); + return; } /* register tm callback to change replies, @@ -1007,12 +1011,6 @@ static void replace_callback(struct dlg_cell *dlg, int type, msg->msg_flags |= uac_flag; return; - -free2: - pkg_free(p); - -free1: - pkg_free(buf.s); }