While building the sip uri in tel2sip() we have:
sip_uri.s = pkg_malloc(sip_uri.len)
But later in pv_set_ruri():
val->rs.s[val->rs.len] = '\0';
It's overwriting the q_malloc control structures (a classic type of bug already).
Kamailio will log a line like this before crashing:
Mar 3 13:31:15 XXXXXXXX /opt/ims/sbin/kamailio[15030]: : <core>
[mem/q_malloc.c:140]: qm_debug_frag(): BUG: qm_*: prev. fragm. tail overwritten(c0c0c000,
abcdefed)[0x7feaf22bd558:0x7feaf22bd588]!
I get this crash with long "tel:" ruris, the ones that have a
";phone-context=" param .
This patch fixes it.
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/534
-- Commit Summary --
* siputils: tel2sip(): fix 'off by one' when allocating memory
-- File Changes --
M modules/siputils/checks.c (2)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/534.patch
https://github.com/kamailio/kamailio/pull/534.diff
---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/534