Module: kamailio Branch: master Commit: c958cc7a1dcad00c4bb36f79d539bbb96f135642 URL: https://github.com/kamailio/kamailio/commit/c958cc7a1dcad00c4bb36f79d539bbb96f135642
Author: Norm Brandinger <[email protected]> Committer: Henning Westerholt <[email protected]> Date: 2026-02-19T12:39:16+01:00 dialog: fix race condition in link_dlg_profile Move link_profile() call inside the dialog entry lock in link_dlg_profile(). Without this, a linker added to the dialog's profile list becomes visible to destroy_linkers() before it is inserted into the profile hash table. If destroy_linkers() runs in that window, it sees hash_linker.next as NULL, skips the hash table unlink, and frees the linker. The subsequent link_profile() call then operates on freed memory, corrupting the profile hash table. This causes SIGSEGV in get_profile_size() (NULL pointer in hash chain traversal) or an infinite loop when hash buckets become cross-linked. GH #2923 --- Modified: src/modules/dialog/dlg_profile.c --- Diff: https://github.com/kamailio/kamailio/commit/c958cc7a1dcad00c4bb36f79d539bbb96f135642.diff Patch: https://github.com/kamailio/kamailio/commit/c958cc7a1dcad00c4bb36f79d539bbb96f135642.patch --- diff --git a/src/modules/dialog/dlg_profile.c b/src/modules/dialog/dlg_profile.c index 9fc1a9795df..80fac2d5907 100644 --- a/src/modules/dialog/dlg_profile.c +++ b/src/modules/dialog/dlg_profile.c @@ -518,15 +518,16 @@ static void link_dlg_profile( linker->next = dlg->profile_links; dlg->profile_links = linker; linker->hash_linker.dlg = dlg; + link_profile(linker, &dlg->callid); dlg_unlock(d_table, d_entry); } else { linker->next = dlg->profile_links; dlg->profile_links = linker; linker->hash_linker.dlg = dlg; + link_profile(linker, &dlg->callid); } atomic_or_int((volatile int *)&dlg->dflags, DLG_FLAG_CHANGED_PROF); - link_profile(linker, &dlg->callid); } _______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
