[OpenSIPS-Devel] [OpenSIPS/opensips] df67ba: Fix next_hop crash (seen in nathelper nh_timer) du...

Walter Doekes noreply at github.com
Wed Sep 2 08:46:04 EST 2020


  Branch: refs/heads/3.1
  Home:   https://github.com/OpenSIPS/opensips
  Commit: df67bac58b260ec426c945c58859978a78c6b67d
      https://github.com/OpenSIPS/opensips/commit/df67bac58b260ec426c945c58859978a78c6b67d
  Author: Walter Doekes <walter+github at wjd.nu>
  Date:   2020-09-02 (Wed, 02 Sep 2020)

  Changed paths:
    M modules/usrloc/dlist.c

  Log Message:
  -----------
  Fix next_hop crash (seen in nathelper nh_timer) due to reading reused mem

Problem:

- get_domain_db_ucontacts (through get_domain_ucontacts) was handing out
  (next_hop) pointers to memory that was unused. This resulted in a
  crash when this memory was reused before the invalid pointer was
  reused.

Relevant issues and commits:

- #1652 [OpenSIPS crashes since of child that serves rtpproxy]
- e162f5f10 [fix 1652: usrloc: make next_hop point within the shared buffer]
- #1710 [nathelper next_hop off by one for usrloc path]
- 0300eb1d5 [fix 1710 / revert 1652: usrloc: fix next hop compute for ...]

That is: e162f5f10 fixes this exact problem in get_domain_db_ucontacts, in
get_domain_mem_ucontacts and in get_domain_cdb_ucontacts (cdb_pack_ping_data).

But in 0300eb1d5 it is reverted for only get_domain_db_ucontacts.

This fix:

- Rewrites the fix for get_domain_db_ucontacts and
  get_domain_cdb_ucontacts, making it less fragile/bug-prone.
- Adds comments about fragility to get_domain_mem_ucontacts
- Fixed unaligned memcpy that might affect non-intel CPUs:
  `((struct proxy_l *)cp)->name.s = next_hop_host`

Bug reported and fix tested by Jasper Hafkenscheid @hafkensite (VoIPGRID).

(cherry picked from commit 5a6b3abe41a2eaed961a530675f6441a692e8640)





More information about the Devel mailing list