[OpenSIPS-Devel] [OpenSIPS/opensips] 6ebbd9: dialog: Fix crash due to a "tmp SDP" race condition
Liviu Chircu
noreply at github.com
Tue Jan 5 10:57:05 EST 2021
Branch: refs/heads/master
Home: https://github.com/OpenSIPS/opensips
Commit: 6ebbd9a2d68772ff840db8a38fcc7f2f786b527b
https://github.com/OpenSIPS/opensips/commit/6ebbd9a2d68772ff840db8a38fcc7f2f786b527b
Author: Liviu Chircu <liviu at opensips.org>
Date: 2021-01-05 (Tue, 05 Jan 2021)
Changed paths:
M modules/dialog/dlg_handlers.c
M modules/dialog/dlg_hash.h
Log Message:
-----------
dialog: Fix crash due to a "tmp SDP" race condition
This fixes a race condition on the following code which runs, e.g., on a
200 OK to a Re-INVITE (added in d447626c2531):
if (dlg->legs[leg].tmp_out_sdp.s) {
shm_free(dlg->legs[leg].tmp_out_sdp.s);
dlg->legs[leg].tmp_out_sdp.s = 0; <--- we are here
dlg->legs[leg].tmp_out_sdp.len = 0;
}
At this point, if the Re-INVITE is retransmitted and, e.g.,
dlg_callee_reinv_onreq_out() is run, the code may read a corrupt str
value from "tmp_out_sdp" (e.g. {NULL, 172}), which will crash in
shm_str_sync().
Many thanks to Ken Rice for the report!
More information about the Devel
mailing list