24 Sep
2015
24 Sep
'15
8:51 a.m.
Module: kamailio
Branch: master
Commit: a53b2fb68d555b07be479e41895937ae1c6318f6
URL: https://github.com/kamailio/kamailio/commit/a53b2fb68d555b07be479e41895937a…
Author: Chris Double <chris.double(a)double.co.nz>
Committer: Chris Double <chris.double(a)double.co.nz>
Date: 2015-09-24T11:19:11+12:00
janssonrpc-c: Fix use after free
- Fix use after free due to pointer aliasing of 'arg' and 'a'
in server_backoff_cb.
- Fix use after free in force_disconnect
- Fix use after free in free_server_list
---
Modified: modules/janssonrpc-c/janssonrpc_connect.c
Modified: modules/janssonrpc-c/janssonrpc_server.c
---
Diff:
https://github.com/kamailio/kamailio/commit/a53b2fb68d555b07be479e41895937a…
Patch:
https://github.com/kamailio/kamailio/commit/a53b2fb68d555b07be479e41895937a…
---
diff --git a/modules/janssonrpc-c/janssonrpc_connect.c
b/modules/janssonrpc-c/janssonrpc_connect.c
index bfe66c9..76378d3 100644
--- a/modules/janssonrpc-c/janssonrpc_connect.c
+++ b/modules/janssonrpc-c/janssonrpc_connect.c
@@ -88,9 +88,13 @@ void force_disconnect(jsonrpc_server_t* server)
/* clean out requests */
jsonrpc_request_t* req = NULL;
+ jsonrpc_request_t* next = NULL;
int key = 0;
for (key=0; key < JSONRPC_DEFAULT_HTABLE_SIZE; key++) {
- for (req = request_table[key]; req != NULL; req = req->next) {
+ for (req = request_table[key]; req != NULL; req = next) {
+ /* fail_request frees req so need to store
+ next_req before call */
+ next = req->next;
if(req->server != NULL && req->server == server) {
fail_request(JRPC_ERR_SERVER_DISCONNECT, req,
"Failing request for server shutdown");
@@ -128,9 +132,10 @@ void server_backoff_cb(int fd, short event, void *arg)
close(fd);
CHECK_AND_FREE_EV(a->ev);
- pkg_free(arg);
wait_server_backoff(timeout, a->server, false);
+
+ pkg_free(arg);
}
void wait_server_backoff(unsigned int timeout /* seconds */,
diff --git a/modules/janssonrpc-c/janssonrpc_server.c
b/modules/janssonrpc-c/janssonrpc_server.c
index 09286bc..8f1fb06 100644
--- a/modules/janssonrpc-c/janssonrpc_server.c
+++ b/modules/janssonrpc-c/janssonrpc_server.c
@@ -591,8 +591,10 @@ void free_server_list(server_list_t* list)
return;
server_list_t* node = NULL;
- for(node=list; node!=NULL; node=node->next)
+ server_list_t* next = NULL;
+ for(node=list; node!=NULL; node=next)
{
+ next = node->next;
pkg_free(node);
}
}
3354
days inactive
3354
days old
0 comments
1 participants
participants (1)
-
Chris Double