20 Nov
2011
20 Nov
'11
12:46 a.m.
Module: sip-router
Branch: master
Commit: 1a72ea1d450062e618eeab04655e7cbc742313f2
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=1a72ea1…
Author: pd <peter.dunkley(a)crocodile-rcs.com>
Committer: pd <peter.dunkley(a)crocodile-rcs.com>
Date: Sat Nov 19 22:44:21 2011 +0000
modules_k/xcap_server: xcaps_buf sometimes freed in w_xcaps_put()
- The buffer is alloc'd at module startup so should not be freed here.
- When freed here the buffer memory can be alloc'd for other things and then
future XCAP server operations will trample over it causing segmentation
faults.
- Fix by Hugh Waite @ Crocodile RCS.
---
modules_k/xcap_server/xcap_server.c | 16 +++++++---------
1 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/modules_k/xcap_server/xcap_server.c b/modules_k/xcap_server/xcap_server.c
index 33f5629..66dac1f 100644
--- a/modules_k/xcap_server/xcap_server.c
+++ b/modules_k/xcap_server/xcap_server.c
@@ -474,29 +474,25 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* ppath,
xm = (pv_elem_t*)pbody;
body.len = xcaps_buf.len - 1;
- body.s = xcaps_buf.s;
- if(pv_printf(msg, xm, body.s, &body.len)<0)
+ if(pv_printf(msg, xm, xcaps_buf.s, &body.len)<0)
{
LM_ERR("unable to get body\n");
goto error;
}
- if(body.s==NULL || body.len <= 0)
+ if(body.len <= 0)
{
LM_ERR("invalid body parameter\n");
goto error;
}
- nbuf.s = (char*)pkg_malloc(body.len+1);
- if(nbuf.s==NULL)
+ body.s = (char*)pkg_malloc(body.len+1);
+ if(body.s==NULL)
{
LM_ERR("no more pkg\n");
- body.s = NULL;
goto error;
}
- memcpy(nbuf.s, body.s, body.len);
- body.s = nbuf.s;
+ memcpy(body.s, xcaps_buf.s, body.len);
body.s[body.len] = '\0';
- nbuf.s = NULL;
if(parse_uri(uri.s, uri.len, &turi)!=0)
{
@@ -517,6 +513,8 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* ppath,
{
xcaps_send_reply(msg, 412, &xcaps_str_precon, &xcaps_str_empty,
&xcaps_str_empty, &xcaps_str_empty);
+
+ pkg_free(body.s);
return -2;
}