Module: sip-router Branch: 4.1 Commit: b76eb77a36a5e751d792cb7e0d60f4750976e322 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b76eb77a...
Author: Daniel-Constantin Mierla miconda@gmail.com Committer: Daniel-Constantin Mierla miconda@gmail.com Date: Fri May 2 21:50:14 2014 +0200
dialog: copy dlg var value locally on get operation
- reference to shared memory exposes risk on accessing an invalid pointer if anothe process updates it - reported by Dragos Oancea
(cherry picked from commit bb3eed8aabea9f63c9922f71714aea242771db02)
---
modules/dialog/dlg_var.c | 18 ++++++++++++++++-- 1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/modules/dialog/dlg_var.c b/modules/dialog/dlg_var.c index 111dcd8..4b2ca89 100644 --- a/modules/dialog/dlg_var.c +++ b/modules/dialog/dlg_var.c @@ -284,6 +284,7 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) { dlg_cell_t *dlg; str * value; + str spv;
if (param==NULL || param->pvn.type!=PV_NAME_INTSTR || param->pvn.u.isname.type!=AVP_NAME_STR @@ -306,6 +307,19 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) /* dcm: todo - the value should be cloned for safe usage */ value = get_dlg_variable_unsafe(dlg, ¶m->pvn.u.isname.name.s);
+ spv.s = NULL; + if(value) { + spv.len = pv_get_buffer_size(); + if(spv.len<value->len+1) { + LM_ERR("pv buffer too small (%d) - needed %d\n", spv.len, value->len); + } else { + spv.s = pv_get_buffer(); + strncpy(spv.s, value->s, value->len); + spv.len = value->len; + spv.s[spv.len] = '\0'; + } + } + print_lists(dlg);
/* unlock dialog */ @@ -314,8 +328,8 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) dlg_release(dlg); }
- if (value) - return pv_get_strval(msg, param, res, value); + if (spv.s) + return pv_get_strval(msg, param, res, &spv);
return pv_get_null(msg, param, res);