2 May
2014
2 May
'14
9:15 p.m.
Module: sip-router
Branch: 4.1
Commit: b76eb77a36a5e751d792cb7e0d60f4750976e322
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b76eb77…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: Fri May 2 21:50:14 2014 +0200
dialog: copy dlg var value locally on get operation
- reference to shared memory exposes risk on accessing an invalid
pointer if anothe process updates it
- reported by Dragos Oancea
(cherry picked from commit bb3eed8aabea9f63c9922f71714aea242771db02)
---
modules/dialog/dlg_var.c | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/modules/dialog/dlg_var.c b/modules/dialog/dlg_var.c
index 111dcd8..4b2ca89 100644
--- a/modules/dialog/dlg_var.c
+++ b/modules/dialog/dlg_var.c
@@ -284,6 +284,7 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param,
pv_value_t *res)
{
dlg_cell_t *dlg;
str * value;
+ str spv;
if (param==NULL || param->pvn.type!=PV_NAME_INTSTR
|| param->pvn.u.isname.type!=AVP_NAME_STR
@@ -306,6 +307,19 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param,
pv_value_t *res)
/* dcm: todo - the value should be cloned for safe usage */
value = get_dlg_variable_unsafe(dlg, ¶m->pvn.u.isname.name.s);
+ spv.s = NULL;
+ if(value) {
+ spv.len = pv_get_buffer_size();
+ if(spv.len<value->len+1) {
+ LM_ERR("pv buffer too small (%d) - needed %d\n", spv.len, value->len);
+ } else {
+ spv.s = pv_get_buffer();
+ strncpy(spv.s, value->s, value->len);
+ spv.len = value->len;
+ spv.s[spv.len] = '\0';
+ }
+ }
+
print_lists(dlg);
/* unlock dialog */
@@ -314,8 +328,8 @@ int pv_get_dlg_variable(struct sip_msg *msg, pv_param_t *param,
pv_value_t *res)
dlg_release(dlg);
}
- if (value)
- return pv_get_strval(msg, param, res, value);
+ if (spv.s)
+ return pv_get_strval(msg, param, res, &spv);
return pv_get_null(msg, param, res);