[OpenSIPS-Devel] [OpenSIPS/opensips] 7c92ff: dialog: Fix crash due to a "tmp SDP" race condition
Liviu Chircu
noreply at github.com
Tue Jan 12 18:07:59 EST 2021
Branch: refs/heads/3.0
Home: https://github.com/OpenSIPS/opensips
Commit: 7c92fff2b0ea7c5a1c2934733679e30a4b363330
https://github.com/OpenSIPS/opensips/commit/7c92fff2b0ea7c5a1c2934733679e30a4b363330
Author: Liviu Chircu <liviu at opensips.org>
Date: 2021-01-12 (Tue, 12 Jan 2021)
Changed paths:
M modules/dialog/dlg_handlers.c
M modules/dialog/dlg_hash.h
Log Message:
-----------
dialog: Fix crash due to a "tmp SDP" race condition
This fixes a race condition on the following code which runs, e.g., on a
200 OK to a Re-INVITE (added in d447626c2531):
if (dlg->legs[leg].tmp_out_sdp.s) {
shm_free(dlg->legs[leg].tmp_out_sdp.s);
dlg->legs[leg].tmp_out_sdp.s = 0; <--- we are here
dlg->legs[leg].tmp_out_sdp.len = 0;
}
At this point, if the Re-INVITE is retransmitted and, e.g.,
dlg_callee_reinv_onreq_out() is run, the code may read a corrupt str
value from "tmp_out_sdp" (e.g. {NULL, 172}), which will crash in
shm_str_sync().
Many thanks to Ken Rice for the report!
(cherry picked from commit 6ebbd9a2d68772ff840db8a38fcc7f2f786b527b)
More information about the Devel
mailing list