Bugs item #1468407, was opened at 2006-04-11 19:55
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=756076&aid=1468407&group_id=143636
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Roland Kay (rkay)
Assigned to: Nobody/Anonymous (nobody)
Summary: Crash on unregister due to missing error check
Initial Comment:
This is with version: 1.11.7
register_expires_contacts() dereferences the passed sip
pointer:
static void
register_expires_contacts(msg_t *msg, sip_t *sip)
{
su_home_t *h = msg_home(msg);
sip_contact_t *m;
if (sip->sip_contact) { <--------
...
register_expires_contacts() is called from
nua_stack_register() if the operation is an unregister
(as opposed to a register):
int
nua_stack_register(nua_t *nua, nua_handle_t *nh,
nua_event_t e, tagi_t const *tags)
{
...
if (du) {
if (du->du_msg)
cr->cr_msg = msg_ref_create(du->du_msg);
msg = nua_creq_msg(nua, nh, cr, cr->cr_msg != NULL,
SIP_METHOD_REGISTER,
NUTAG_ADD_CONTACT(1),
TAG_IF(!registering,
NUTAG_USE_DIALOG(1)),
TAG_NEXT(tags));
}
sip = sip_object(msg);
However, nua_creq_msg() can (and does) fail returning
NULL. This in turns causes sip to be NULL which means
that we seg fault in register_expirese_contacts().
----------------------------------------------
Other observations:
In the present case it is this fragment that is
destroying the msg:
msg_t *nua_creq_msg(nua_t *nua, nua_handle_t *nh,
struct nua_client_request *cr,
int restart,
sip_method_t method, char const *name,
tag_type_t tag, tag_value_t value, ...)
...
...
if ((sip_add_tl(msg, sip,
TAG_IF(method != sip_method_register,
SIPTAG_ROUTE(nua->nua_service_route)),
ta_tags(ta)) < 0)
|| (ds->ds_remote_tag &&
sip_to_tag(nh->nh_home, sip->sip_to,
ds->ds_remote_tag) < 0)
|| nta_msg_request_complete(msg,
nua->nua_dhandle->nh_ds->ds_leg,
method, name, url) < 0
|| (sip->sip_from == NULL &&
Specifically, nta_msg_request_complete() is returning
-1 and so msg_destroy() is called and msg is set to NULL.
>From the code, it is far from clear that the rest of
this function takes account of the fact that msg may be
NULL. In particular, lines 1759 to 1786 appear to try
to manipulate the now destroyed msg. This appears to be
non-fatal, but nevertheless doesn't seem to be a good idea.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=756076&aid=1468407&group_id=143636
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Sofia-sip-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel
