git:3.1: tm: fix possible uninit. use of cancel_reason - sr-dev

24 Oct 2010

Module: sip-router
Branch: 3.1
Commit: 292bab78715749066db5693b22b490fcbcfa4e4a
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=292bab78...
Author: Andrei Pelinescu-Onciul andrei@iptel.org
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Wed Oct 20 18:38:11 2010 +0200
tm: fix possible uninit. use of cancel_reason
In some cases  an uninitialized cancel_reason structure was used
(e.g. fake_reply() and relay_reply() failing).
Reported-by: Alex Balashov  abalashov evaristesys com
(cherry picked from commit 7faa58b0264cb77c991a21bd3b7e3d660596ad85)
---
modules/tm/t_cancel.c |    1 +
 modules/tm/t_reply.c  |   11 +++++++++++
 modules/tm/timer.c    |    1 +
 3 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/modules/tm/t_cancel.c b/modules/tm/t_cancel.c
index 277c415..c1b52be 100644
--- a/modules/tm/t_cancel.c
+++ b/modules/tm/t_cancel.c
@@ -225,6 +225,7 @@ int cancel_branch( struct cell *t, int branch,
    irb=&t->uac[branch].request;
    irb->flags|=F_RB_CANCELED;
    ret=1;
+	init_cancel_info(&tmp_cd);
#	ifdef EXTRA_DEBUG
    if (crb->buffer!=BUSY_BUFFER) {
diff --git a/modules/tm/t_reply.c b/modules/tm/t_reply.c
index fcf214d..382244f 100644
--- a/modules/tm/t_reply.c
+++ b/modules/tm/t_reply.c
@@ -1096,8 +1096,11 @@ static unsigned char drop_replies;
  * Checks if the new reply (with new_code status) should be sent or not
  *  based on the current
  * transaction status.
+ *
+ * @param cancel_data - initialized cancel_info structure.
  * Returns 	- branch number (0,1,...) which should be relayed
  *         -1 if nothing to be relayed
+ * WARNING: cancel_data should be initialized prior to calling this function.
  */
 static enum rps t_should_relay_response( struct cell *Trans , int new_code,
    int branch , int *should_store, int *should_relay,
@@ -1576,6 +1579,10 @@ skip:
    REPLY_LOCK and it returns unlocked!
    If do_put_on_wait==1 and this is the final reply, the transaction
    wait timer will be started (put_on_wait(t)).
+ *
+ * @param cancel_data - initialized cancel_info structure.
+ *
+ * WARNING: cancel_data should be initialized prior to calling this function.
 */
 enum rps relay_reply( struct cell *t, struct sip_msg *p_msg, int branch,
    unsigned int msg_status, struct cancel_info *cancel_data,
@@ -1851,6 +1858,10 @@ error01:
 /* this is the "UAC" above transaction layer; if a final reply
    is received, it triggers a callback; note well -- it assumes
    it is entered locked with REPLY_LOCK and it returns unlocked!
+ *
+ * @param cancel_data - initialized cancel_info structure.
+ *
+ * WARNING: cancel_data should be initialized prior to calling this function.
 */
 enum rps local_reply( struct cell *t, struct sip_msg *p_msg, int branch,
    unsigned int msg_status, struct cancel_info *cancel_data)
diff --git a/modules/tm/timer.c b/modules/tm/timer.c
index a961675..a31a59c 100644
--- a/modules/tm/timer.c
+++ b/modules/tm/timer.c
@@ -303,6 +303,7 @@ static void fake_reply(struct cell *t, int branch, int code )
    short do_cancel_branch;
    enum rps reply_status;
+	init_cancel_info(&cancel_data);
    do_cancel_branch = is_invite(t) && prepare_cancel_branch(t, branch, 0);
    /* mark branch as canceled */
    t->uac[branch].request.flags|=F_RB_CANCELED;

    