When running as a P-CSCF a crash would occur with certain in-dialog replies. The `msg->contact->parsed` pointer is unreliably reused and would point to garbage.
<!-- Kamailio Pull Request Template -->
<!-- IMPORTANT: - for detailed contributing guidelines, read: https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md - pull requests must be done to master branch, unless they are backports of fixes from master branch to a stable branch - backports to stable branches must be done with 'git cherry-pick -x ...' - code is contributed under BSD for core and main components (tm, sl, auth, tls) - code is contributed GPLv2 or a compatible license for the other components - GPL code is contributed with OpenSSL licensing exception -->
#### Pre-Submission Checklist <!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply --> <!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above--> <!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list --> - [X] Commit message has the format required by CONTRIBUTING guide - [X] Commits are split per component (core, individual modules, libs, utils, ...) - [X] Each component has a single commit (if not, squash them into one commit) - [X] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated)
#### Type Of Change - [X] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality)
#### Checklist: <!-- Go over all points below, and after creating the PR, tick the checkboxes that apply --> - [ ] PR should be backported to stable branches - [X] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number)
#### Description <!-- Describe your changes in detail --> When running as a P-CSCF a crash would occur with certain in-dialog replies. The `msg->contact->parsed` pointer is unreliably reused and would point to garbage. You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/3032
-- Commit Summary --
* ims: fix a crash with contact parsing
-- File Changes --
M src/lib/ims/ims_getters.c (21)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/3032.patch https://github.com/kamailio/kamailio/pull/3032.diff
@alexyosifov commented on this pull request.
if(ptr->type == HDR_CONTACT_T) {
- if(ptr->parsed == 0) { - if(parse_contact(ptr) < 0) { - LM_DBG("error parsing contacts [%.*s]\n", ptr->body.len, - ptr->body.s); - } + ptr->parsed = NULL; + if(parse_contact(ptr) < 0) { + LM_ERR("error parsing contacts [%.*s]\n", ptr->body.len, + ptr->body.s); } } ptr = ptr->next;
You have to remove this operation or the one into 'for' because now you have a double-pointer assignment operation.
@kristiyan-peychev-flolive pushed 1 commit.
932b139b89e3bfc84e71517fbceb6b70460ba459 ims: remove forgotten pointer advancement
@kristiyan-peychev-flolive commented on this pull request.
if(ptr->type == HDR_CONTACT_T) {
- if(ptr->parsed == 0) { - if(parse_contact(ptr) < 0) { - LM_DBG("error parsing contacts [%.*s]\n", ptr->body.len, - ptr->body.s); - } + ptr->parsed = NULL; + if(parse_contact(ptr) < 0) { + LM_ERR("error parsing contacts [%.*s]\n", ptr->body.len, + ptr->body.s); } } ptr = ptr->next;
Thank you for pointing this out, I had forgotten about it.
Thank you for your contribution! What I see from the changes you explicitly set ptr->parsed = NULL. If you check the func "int parse_contact(struct hdr_field* _h)" there is a memory allocation for the contact body: `row 76: b = (contact_body_t*)pkg_malloc(sizeof(contact_body_t)); ` It is possible to lead to a memory leak. I have suspicions that the old code works fine, but the problem, in general, is somewhere else. Maybe where the parsed contact is stored before in-dialog replies or where parsed contact is freed but not set to NULL/0.
More detailed investigation should be performed. It is not OK to be merged.
Closed #3032.
-
alexyosifov -
Kristiyan Peychev
-
kristiyan-peychev-flolive