While building the sip uri in tel2sip() we have: sip_uri.s = pkg_malloc(sip_uri.len) But later in pv_set_ruri(): val->rs.s[val->rs.len] = '\0'; It's overwriting the q_malloc control structures (a classic type of bug already).
Kamailio will log a line like this before crashing: Mar 3 13:31:15 XXXXXXXX /opt/ims/sbin/kamailio[15030]: : <core> [mem/q_malloc.c:140]: qm_debug_frag(): BUG: qm_*: prev. fragm. tail overwritten(c0c0c000, abcdefed)[0x7feaf22bd558:0x7feaf22bd588]!
I get this crash with long "tel:" ruris, the ones that have a ";phone-context=" param . This patch fixes it.
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/534
-- Commit Summary --
* siputils: tel2sip(): fix 'off by one' when allocating memory
-- File Changes --
M modules/siputils/checks.c (2)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/534.patch https://github.com/kamailio/kamailio/pull/534.diff
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/534
What version are you using? I haven't had the time too look at the code, just that I remember there was a similar fix at some point, maybe it was a regressions afterwards ...
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/534#issuecomment-193302609
I am using master. Your fix for tel2sip was in 7992a2b8d42bb7e8bcf1738cf042013ed126a47a , it's similar, but it's not the same thing.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/534#issuecomment-193305654
Ok, thanks for the clarification. So I guess it needs to be backported as well.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/534#issuecomment-193306285
Merged #534.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/534#event-580313849
-
Daniel-Constantin Mierla -
Dragos Oancea