Module: sip-router
Branch: master
Commit: 7faa58b0264cb77c991a21bd3b7e3d660596ad85
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=7faa58b…
Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei(a)iptel.org>
Date: Wed Oct 20 18:38:11 2010 +0200
tm: fix possible uninit. use of cancel_reason
In some cases an uninitialized cancel_reason structure was used
(e.g. fake_reply() and relay_reply() failing).
Reported-by: Alex Balashov abalashov evaristesys com
---
modules/tm/t_cancel.c | 1 +
modules/tm/t_reply.c | 11 +++++++++++
modules/tm/timer.c | 1 +
3 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/modules/tm/t_cancel.c b/modules/tm/t_cancel.c
index 277c415..c1b52be 100644
--- a/modules/tm/t_cancel.c
+++ b/modules/tm/t_cancel.c
@@ -225,6 +225,7 @@ int cancel_branch( struct cell *t, int branch,
irb=&t->uac[branch].request;
irb->flags|=F_RB_CANCELED;
ret=1;
+ init_cancel_info(&tmp_cd);
# ifdef EXTRA_DEBUG
if (crb->buffer!=BUSY_BUFFER) {
diff --git a/modules/tm/t_reply.c b/modules/tm/t_reply.c
index fcf214d..382244f 100644
--- a/modules/tm/t_reply.c
+++ b/modules/tm/t_reply.c
@@ -1096,8 +1096,11 @@ static unsigned char drop_replies;
* Checks if the new reply (with new_code status) should be sent or not
* based on the current
* transaction status.
+ *
+ * @param cancel_data - initialized cancel_info structure.
* Returns - branch number (0,1,...) which should be relayed
* -1 if nothing to be relayed
+ * WARNING: cancel_data should be initialized prior to calling this function.
*/
static enum rps t_should_relay_response( struct cell *Trans , int new_code,
int branch , int *should_store, int *should_relay,
@@ -1576,6 +1579,10 @@ skip:
REPLY_LOCK and it returns unlocked!
If do_put_on_wait==1 and this is the final reply, the transaction
wait timer will be started (put_on_wait(t)).
+ *
+ * @param cancel_data - initialized cancel_info structure.
+ *
+ * WARNING: cancel_data should be initialized prior to calling this function.
*/
enum rps relay_reply( struct cell *t, struct sip_msg *p_msg, int branch,
unsigned int msg_status, struct cancel_info *cancel_data,
@@ -1851,6 +1858,10 @@ error01:
/* this is the "UAC" above transaction layer; if a final reply
is received, it triggers a callback; note well -- it assumes
it is entered locked with REPLY_LOCK and it returns unlocked!
+ *
+ * @param cancel_data - initialized cancel_info structure.
+ *
+ * WARNING: cancel_data should be initialized prior to calling this function.
*/
enum rps local_reply( struct cell *t, struct sip_msg *p_msg, int branch,
unsigned int msg_status, struct cancel_info *cancel_data)
diff --git a/modules/tm/timer.c b/modules/tm/timer.c
index a961675..a31a59c 100644
--- a/modules/tm/timer.c
+++ b/modules/tm/timer.c
@@ -303,6 +303,7 @@ static void fake_reply(struct cell *t, int branch, int code )
short do_cancel_branch;
enum rps reply_status;
+ init_cancel_info(&cancel_data);
do_cancel_branch = is_invite(t) && prepare_cancel_branch(t, branch, 0);
/* mark branch as canceled */
t->uac[branch].request.flags|=F_RB_CANCELED;