[sr-dev] git:3.2: modules_k/xcap_server: xcaps_buf sometimes freed in w_xcaps_put()

Peter Dunkley Sun, 20 Nov 2011 14:31:02 -0800

Module: sip-router
Branch: 3.2
Commit: d50bf0933db8925d75da09de0036d559c9b34b64
URL:    
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d50bf0933db8925d75da09de0036d559c9b34b64


Author: pd <[email protected]>
Committer: pd <[email protected]>
Date:   Sat Nov 19 22:44:21 2011 +0000

modules_k/xcap_server: xcaps_buf sometimes freed in w_xcaps_put()

- The buffer is alloc'd at module startup so should not be freed here.
- When freed here the buffer memory can be alloc'd for other things and then
  future XCAP server operations will trample over it causing segmentation
  faults.
- Fix by Hugh Waite @ Crocodile RCS.

---

 modules_k/xcap_server/xcap_server.c |   16 +++++++---------
 1 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/modules_k/xcap_server/xcap_server.c 
b/modules_k/xcap_server/xcap_server.c
index 33f5629..66dac1f 100644
--- a/modules_k/xcap_server/xcap_server.c
+++ b/modules_k/xcap_server/xcap_server.c
@@ -474,29 +474,25 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* 
ppath,
 
        xm = (pv_elem_t*)pbody;
        body.len = xcaps_buf.len - 1;
-       body.s   = xcaps_buf.s;
-       if(pv_printf(msg, xm, body.s, &body.len)<0)
+       if(pv_printf(msg, xm, xcaps_buf.s, &body.len)<0)
        {
                LM_ERR("unable to get body\n");
                goto error;
        }
-       if(body.s==NULL || body.len <= 0)
+       if(body.len <= 0)
        {
                LM_ERR("invalid body parameter\n");
                goto error;
        }
-       nbuf.s = (char*)pkg_malloc(body.len+1);
-       if(nbuf.s==NULL)
+       body.s = (char*)pkg_malloc(body.len+1);
+       if(body.s==NULL)
        {
                LM_ERR("no more pkg\n");
-               body.s = NULL;
                goto error;
        }
 
-       memcpy(nbuf.s, body.s, body.len);
-       body.s = nbuf.s;
+       memcpy(body.s, xcaps_buf.s, body.len);
        body.s[body.len] = '\0';
-       nbuf.s = NULL;
 
        if(parse_uri(uri.s, uri.len, &turi)!=0)
        {
@@ -517,6 +513,8 @@ static int w_xcaps_put(sip_msg_t* msg, char* puri, char* 
ppath,
        {
                xcaps_send_reply(msg, 412, &xcaps_str_precon, &xcaps_str_empty,
                                &xcaps_str_empty, &xcaps_str_empty);
+
+               pkg_free(body.s);
                return -2;
        }
 


_______________________________________________
sr-dev mailing list
[email protected]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

[sr-dev] git:3.2: modules_k/xcap_server: xcaps_buf sometimes freed in w_xcaps_put()

Reply via email to