Module: sip-router Branch: sr_3.0 Commit: c6e33a080b218ec87184b216144e527cb41754da URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c6e33a0… Author: Andrei Pelinescu-Onciul &lt;andrei(a)iptel.org&gt; Committer: Andrei Pelinescu-Onciul &lt;andrei(a)iptel.org&gt; Date: Thu Oct 15 17:58:05 2009 +0200 core: fix fixup_spve_* reuse after free - fixup_spve_* functions have an optimization that checks if a a parsed format is a simple string and if this happens it frees the fixed param an re-does the fixup with type==string. However when freeing the result of the first fixup the original string was freed too and the next string fixup would be called with freed memory instead of a valid string. (this bug was hidden before the memleak fix in af8f3e1536d) --- mod_fix.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/mod_fix.c b/mod_fix.c index 90a4a4d..53b12ea 100644 --- a/mod_fix.c +++ b/mod_fix.c @@ -197,7 +197,6 @@ FIXUP_F2FP_T(igp_pvar_pvar, 1, 3, 1, FPARAM_INT|FPARAM_PVS, FPARAM_PVS) int ret; \ char * bkp; \ fparam_t* fp; \ - bkp=*param; \ if (param_no<=(no1)){ \ if ((ret=fix_param_types(FPARAM_PVE, param))<0){ \ ERR("Cannot convert function parameter %d to" #type2 "\n", \ @@ -206,6 +205,8 @@ FIXUP_F2FP_T(igp_pvar_pvar, 1, 3, 1, FPARAM_INT|FPARAM_PVS, FPARAM_PVS) } else{ \ fp=(fparam_t*)*param; \ if ((ret==0) && (fp->v.pve->spec.getf==0)){ \ + bkp=fp->orig; \ + fp->orig=0; /* make sure orig string is not freed */ \ fparam_free_contents(fp); \ pkg_free(fp); \ *param=bkp; \