Module: sip-router Branch: master Commit: 9a46223c077c8d058cdc633563b0d9f14af332ae URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=9a46223… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Wed Nov 26 16:39:07 2014 +0100 registrar: don't free r-uri branch attributes in lookup_branches() - just clear the values in sip_msg_t structure so the pointers can be reused and avoid double free - reported by Anthony Messina --- modules/registrar/lookup.c | 41 ++++++++++++++++++++++++++++++++++------- 1 files changed, 34 insertions(+), 7 deletions(-) diff --git a/modules/registrar/lookup.c b/modules/registrar/lookup.c index 794d968..1d25acd 100644 --- a/modules/registrar/lookup.c +++ b/modules/registrar/lookup.c @@ -372,23 +372,50 @@ done: } -int reset_ruri_branch(sip_msg_t *msg) +/** + * only reset the pointers after local backup in lookup_branches + */ +int clear_ruri_branch(sip_msg_t *msg) { if(msg==NULL) return -1; - reset_dst_uri(msg); - reset_path_vector(msg); + msg->dst_uri.s = 0; + msg->dst_uri.len = 0; + msg->path_vec.s = 0; + msg->path_vec.len = 0; set_ruri_q(Q_UNSPECIFIED); reset_force_socket(msg); setbflagsval(0, 0); - reset_instance(msg); + msg->instance.len = 0; msg->reg_id = 0; - reset_ruid(msg); - reset_ua(msg); + msg->ruid.s = 0; + msg->ruid.len = 0; + msg->location_ua.s = 0; + msg->location_ua.len = 0; return 0; } +/** + * reset and free the pointers after cloning to a branch in lookup_branches + */ +int reset_ruri_branch(sip_msg_t *msg) +{ + if(msg==NULL) + return -1; + + reset_dst_uri(msg); + reset_path_vector(msg); + set_ruri_q(Q_UNSPECIFIED); + reset_force_socket(msg); + setbflagsval(0, 0); + reset_instance(msg); + msg->reg_id = 0; + reset_ruid(msg); + reset_ua(msg); + return 0; +} + /*! \brief * Lookup contacts in the database for all branches, including R-URI * \return: -1 : not found @@ -438,7 +465,7 @@ int lookup_branches(sip_msg_t *msg, udomain_t *d) ruri_b_reg_id = msg->reg_id; ruri_b_ruid = msg->ruid; ruri_b_ua = msg->location_ua; - reset_ruri_branch(msg); + clear_ruri_branch(msg); /* set new uri buf to null, otherwise is freed or overwritten by * rewrite_uri() during branch lookup */ msg->new_uri.len=0;