Module: kamailio Branch: master Commit: 159224b254d9a67104c60fedab46a1b78cf19a83 URL: https://github.com/kamailio/kamailio/commit/159224b254d9a67104c60fedab46a1b… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2022-05-04T08:56:14+02:00 tm: function to clean local parsed headers and body for uas request - some modules use t->uas.request for getting attributes of the transaction request when processing the response, which may result in pointers to private memory being stored in the shared memory, causing crashes when other processes try to use the pointers --- Modified: src/modules/tm/t_msgbuilder.c Modified: src/modules/tm/t_msgbuilder.h Modified: src/modules/tm/tm_load.c Modified: src/modules/tm/tm_load.h --- Diff: https://github.com/kamailio/kamailio/commit/159224b254d9a67104c60fedab46a1b… Patch: https://github.com/kamailio/kamailio/commit/159224b254d9a67104c60fedab46a1b… --- diff --git a/src/modules/tm/t_msgbuilder.c b/src/modules/tm/t_msgbuilder.c index 27aaef9b5f..ad9c8ae903 100644 --- a/src/modules/tm/t_msgbuilder.c +++ b/src/modules/tm/t_msgbuilder.c @@ -1776,3 +1776,37 @@ char *build_uac_cancel(str *headers,str *body,struct cell *cancelledT, return NULL; } +/** + * + */ +void t_uas_request_clean_parsed(tm_cell_t *t) +{ + struct hdr_field *hdr; + void *mstart; + void *mend; + + if (!t || !t->uas.request) { + return; + } + + mstart = t->uas.request; + mend = t->uas.end_request; + + /* free header's parsed structures that were added by failure handlers */ + for (hdr=t->uas.request->headers; hdr; hdr=hdr->next ) { + if (hdr->parsed && hdr_allocs_parse(hdr) + && (hdr->parsed<mstart || hdr->parsed>=mend)) { + /* header parsed filed doesn't point inside fake memory + * chunck -> it was added by failure funcs.-> free it as pkg */ + LM_DBG("removing hdr->parsed %d\n", hdr->type); + clean_hdr_field(hdr); + hdr->parsed = 0; + } + } + /* free parsed body added by failure handlers */ + if (t->uas.request->body) { + if(t->uas.request->body->free) + t->uas.request->body->free(&t->uas.request->body); + t->uas.request->body = 0; + } +} diff --git a/src/modules/tm/t_msgbuilder.h b/src/modules/tm/t_msgbuilder.h index 46969e0d69..e22bb0e1de 100644 --- a/src/modules/tm/t_msgbuilder.h +++ b/src/modules/tm/t_msgbuilder.h @@ -28,7 +28,6 @@ #include "h_table.h" #include "t_reply.h" - #define CSEQ "CSeq: " #define CSEQ_LEN (sizeof(CSEQ)-1) #define TO "To: " @@ -45,7 +44,6 @@ #define MAXFWD_HEADER "Max-Forwards: " MAXFWD_VALUE CRLF #define MAXFWD_HEADER_LEN (sizeof(MAXFWD_HEADER) - 1) - char *build_local(struct cell *Trans, unsigned int branch, unsigned int *len, char *method, int method_len, str *to , struct cancel_reason* reason @@ -92,4 +90,7 @@ int t_calc_branch(struct cell *t, char* print_callid_mini(char* target, str callid); char* print_cseq_mini(char* target, str* cseq, str* method); +typedef void (*t_uas_request_clean_parsed_f)(tm_cell_t *t); +void t_uas_request_clean_parsed(tm_cell_t *t); + #endif diff --git a/src/modules/tm/tm_load.c b/src/modules/tm/tm_load.c index 65515a3a28..8635b90eae 100644 --- a/src/modules/tm/tm_load.c +++ b/src/modules/tm/tm_load.c @@ -139,6 +139,7 @@ int load_tm( struct tm_binds *tmb) tmb->t_next_contacts = t_next_contacts; tmb->set_fr = t_set_fr; tmb->t_release_transaction = t_release_transaction; + tmb->t_uas_request_clean_parsed = t_uas_request_clean_parsed; return 1; } diff --git a/src/modules/tm/tm_load.h b/src/modules/tm/tm_load.h index 8190ee977c..4695a8f7e1 100644 --- a/src/modules/tm/tm_load.h +++ b/src/modules/tm/tm_load.h @@ -38,6 +38,7 @@ #include "t_append_branches.h" #include "t_stats.h" #include "t_serial.h" +#include "t_msgbuilder.h" /* export not usable from scripts */ #define NO_SCRIPT -1 @@ -122,6 +123,7 @@ struct tm_binds { cmd_function t_next_contacts; tset_fr_f set_fr; trelease_t t_release_transaction; + t_uas_request_clean_parsed_f t_uas_request_clean_parsed; }; typedef struct tm_binds tm_api_t;