Bugs item #1468407, was opened at 2006-04-11 14:55
Message generated for change (Comment added) made by ppessi
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=756076&aid=1468407&group_id=143636
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Roland Kay (rkay)
Assigned to: Nobody/Anonymous (nobody)
Summary: Crash on unregister due to missing error check
Initial Comment:
This is with version: 1.11.7
register_expires_contacts() dereferences the passed sip
pointer:
static void
register_expires_contacts(msg_t *msg, sip_t *sip)
{
su_home_t *h = msg_home(msg);
sip_contact_t *m;
if (sip->sip_contact) { <--------
...
register_expires_contacts() is called from
nua_stack_register() if the operation is an unregister
(as opposed to a register):
int
nua_stack_register(nua_t *nua, nua_handle_t *nh,
nua_event_t e, tagi_t const *tags)
{
...
if (du) {
if (du->du_msg)
cr->cr_msg = msg_ref_create(du->du_msg);
msg = nua_creq_msg(nua, nh, cr, cr->cr_msg != NULL,
SIP_METHOD_REGISTER,
NUTAG_ADD_CONTACT(1),
TAG_IF(!registering,
NUTAG_USE_DIALOG(1)),
TAG_NEXT(tags));
}
sip = sip_object(msg);
However, nua_creq_msg() can (and does) fail returning
NULL. This in turns causes sip to be NULL which means
that we seg fault in register_expirese_contacts().
----------------------------------------------
Other observations:
In the present case it is this fragment that is
destroying the msg:
msg_t *nua_creq_msg(nua_t *nua, nua_handle_t *nh,
struct nua_client_request *cr,
int restart,
sip_method_t method, char const *name,
tag_type_t tag, tag_value_t value, ...)
...
...
if ((sip_add_tl(msg, sip,
TAG_IF(method != sip_method_register,
SIPTAG_ROUTE(nua->nua_service_route)),
ta_tags(ta)) < 0)
|| (ds->ds_remote_tag &&
sip_to_tag(nh->nh_home, sip->sip_to,
ds->ds_remote_tag) < 0)
|| nta_msg_request_complete(msg,
nua->nua_dhandle->nh_ds->ds_leg,
method, name, url) < 0
|| (sip->sip_from == NULL &&
Specifically, nta_msg_request_complete() is returning
-1 and so msg_destroy() is called and msg is set to NULL.
>From the code, it is far from clear that the rest of
this function takes account of the fact that msg may be
NULL. In particular, lines 1759 to 1786 appear to try
to manipulate the now destroyed msg. This appears to be
non-fatal, but nevertheless doesn't seem to be a good idea.
----------------------------------------------------------------------
>Comment By: Pekka Pessi (ppessi)
Date: 2006-04-27 19:47
Message:
Logged In: YES
user_id=52043
Fixed in release 1.11.8.
Darcs patch
20060426071036-65a35-2dc37749cda4979b276ad0384fc5ec7a01dcfd32.
CVS revision 1.8 of nua_register.c.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=756076&aid=1468407&group_id=143636
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Sofia-sip-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel
