Branch: refs/heads/3.0 Home: https://github.com/OpenSIPS/opensips Commit: da488403c71b3effb994c7e95310f059fa36ff2c https://github.com/OpenSIPS/opensips/commit/da488403c71b3effb994c7e95310f059fa36ff2c Author: Walter Doekes <walter+git...@wjd.nu> Date: 2020-09-02 (Wed, 02 Sep 2020)
Changed paths: M modules/usrloc/dlist.c Log Message: ----------- Fix next_hop crash (seen in nathelper nh_timer) due to reading reused mem Problem: - get_domain_db_ucontacts (through get_domain_ucontacts) was handing out (next_hop) pointers to memory that was unused. This resulted in a crash when this memory was reused before the invalid pointer was reused. Relevant issues and commits: - #1652 [OpenSIPS crashes since of child that serves rtpproxy] - e162f5f10 [fix 1652: usrloc: make next_hop point within the shared buffer] - #1710 [nathelper next_hop off by one for usrloc path] - 0300eb1d5 [fix 1710 / revert 1652: usrloc: fix next hop compute for ...] That is: e162f5f10 fixes this exact problem in get_domain_db_ucontacts, in get_domain_mem_ucontacts and in get_domain_cdb_ucontacts (cdb_pack_ping_data). But in 0300eb1d5 it is reverted for only get_domain_db_ucontacts. This fix: - Rewrites the fix for get_domain_db_ucontacts and get_domain_cdb_ucontacts, making it less fragile/bug-prone. - Adds comments about fragility to get_domain_mem_ucontacts - Fixed unaligned memcpy that might affect non-intel CPUs: `((struct proxy_l *)cp)->name.s = next_hop_host` Bug reported and fix tested by Jasper Hafkenscheid @hafkensite (VoIPGRID). (cherry picked from commit 5a6b3abe41a2eaed961a530675f6441a692e8640) _______________________________________________ Devel mailing list Devel@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/devel