git:master: acc: clear new parsed headers when evaluating acc attributes - sr-dev

12 Jun 2014

Module: sip-router
Branch: master
Commit: e6c0c2f9871eab5a73371d48dfa24e4ece2512d8
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e6c0c2f9...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Thu Jun 12 12:12:02 2014 +0200
acc: clear new parsed headers when evaluating acc attributes
- the structures are in pkg, while request is taken from shm clone, can
  cause reference to the space of another process
- reported by Igor Potjevlesch
---
modules/acc/acc_logic.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/modules/acc/acc_logic.c b/modules/acc/acc_logic.c
index 051209c..b6aa0ad 100644
--- a/modules/acc/acc_logic.c
+++ b/modules/acc/acc_logic.c
@@ -489,6 +489,7 @@ static inline void acc_onreply( struct cell* t, struct sip_msg *req,
 {
    str new_uri_bk;
    int br = -1;
+	hdr_field_t *hdr;
/* acc_onreply is bound to TMCB_REPLY which may be called
       from _reply, like when FR hits; we should not miss this
@@ -551,6 +552,19 @@ static inline void acc_onreply( struct cell* t, struct sip_msg *req,
    	req->new_uri = new_uri_bk;
    	req->parsed_uri_ok = 0;
    }
+
+	/* free header's parsed structures that were added by resolving acc attributes */
+	for( hdr=req->headers ; hdr ; hdr=hdr->next ) {
+		if ( hdr->parsed && hdr_allocs_parse(hdr) &&
+		(hdr->parsed<(void*)t->uas.request ||
+		hdr->parsed>=(void*)t->uas.end_request)) {
+			/* header parsed filed doesn't point inside uas.request memory
+			 * chunck -> it was added by resolving acc attributes -> free it as pkg */
+			DBG("removing hdr->parsed %d\n", hdr->type);
+			clean_hdr_field(hdr);
+			hdr->parsed = 0;
+		}
+	}
 }

    