git:4.0:e9fd10a1: sqlops: fix use-after-free by deep copying result name - sr-dev

16 Apr 2015

Module: kamailio
Branch: 4.0
Commit: e9fd10a19a6d3cc0de6c51fce2669a890ab61199
URL: https://github.com/kamailio/kamailio/commit/e9fd10a19a6d3cc0de6c51fce2669a89...
Author: Timo TerÃ¤s timo.teras@iki.fi
Committer: Timo TerÃ¤s timo.teras@iki.fi
Date: 2015-04-16T12:55:14+03:00
sqlops: fix use-after-free by deep copying result name
When creating a new result handle, deep copy the result name.
Otherwise we might end up accessing the name after it's freed.
(cherry picked from commit 6e2604464e64cfaaf1e0327228f53f4787b69470)
---
Modified: modules/sqlops/sql_api.c
---
Diff:  https://github.com/kamailio/kamailio/commit/e9fd10a19a6d3cc0de6c51fce2669a89...
Patch: https://github.com/kamailio/kamailio/commit/e9fd10a19a6d3cc0de6c51fce2669a89...
---

diff --git a/modules/sqlops/sql_api.c b/modules/sqlops/sql_api.c
index bbf86c8..007afd6 100644
--- a/modules/sqlops/sql_api.c
+++ b/modules/sqlops/sql_api.c
@@ -199,14 +199,16 @@ sql_result_t* sql_get_result(str *name)
    		return sr;
    	sr = sr->next;
    }
-	sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t));
+	sr = (sql_result_t*)pkg_malloc(sizeof(sql_result_t) + name->len);
    if(sr==NULL)
    {
    	LM_ERR("no pkg memory\n");
    	return NULL;
    }
    memset(sr, 0, sizeof(sql_result_t));
-	sr->name = *name;
+	memcpy(sr+1, name->s, name->len);
+	sr->name.s = (char *)(sr + 1);
+	sr->name.len = name->len;
    sr->resid = resid;
    sr->next = _sql_result_root;
    _sql_result_root = sr;
@@ -665,6 +667,7 @@ void sql_destroy(void)
    	pkg_free(r);
    	r = r0;
    }
+	_sql_result_root = NULL;
 }
/**

    