[sr-dev] git:4.2:723f170b: rr: reset lump pointer to avoid using it after free for remove rr function

Module: kamailio Branch: 4.2 Commit: 723f170b882d98a6100ccfb931447d7630f57bde URL: https://github.com/kamailio/kamailio/commit/723f170b882d98a6100ccfb931447d7… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2015-05-19T09:35:06+02:00 rr: reset lump pointer to avoid using it after free for remove rr function (cherry picked from commit f03c86ade6af9bc529a52f7fd50004721278ae19) --- Modified: modules/rr/rr_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/723f170b882d98a6100ccfb931447d7… Patch: https://github.com/kamailio/kamailio/commit/723f170b882d98a6100ccfb931447d7… --- diff --git a/modules/rr/rr_mod.c b/modules/rr/rr_mod.c index 34aa0a6..c01de65 100644 --- a/modules/rr/rr_mod.c +++ b/modules/rr/rr_mod.c @@ -445,13 +445,11 @@ static void free_rr_lump(struct lump **list) are in failure_route. -- No problem, only the anchor is left in the list */ - LOG(L_DBG, "DEBUG: free_rr_lump: lump %p" \ - " is left in the list\n", + LM_DBG("lump %p is left in the list\n", lump); if (lump->len) - LOG(L_CRIT, "BUG: free_rr_lump: lump %p" \ - " can not be removed, but len=%d\n", + LM_CRIT("lump %p can not be removed, but len=%d\n", lump, lump->len); prev_lump=lump; @@ -460,14 +458,16 @@ static void free_rr_lump(struct lump **list) else *list = lump->next; if (!(lump->flags&(LUMPFLAG_DUPED|LUMPFLAG_SHMEM))) free_lump(lump); - if (!(lump->flags&LUMPFLAG_SHMEM)) + if (!(lump->flags&LUMPFLAG_SHMEM)) { pkg_free(lump); + lump = 0; + } } } else { /* store previous position */ prev_lump=lump; } - if (first_shmem && (lump->flags&LUMPFLAG_SHMEM)) + if (first_shmem && lump && (lump->flags&LUMPFLAG_SHMEM)) first_shmem=0; } }