[OpenSIPS-Devel] [OpenSIPS/opensips] d21d70: next_branches(): Fix bugs leading to READ on freed...
Liviu Chircu
noreply at github.com
Thu Nov 17 07:35:27 UTC 2022
Branch: refs/heads/3.3
Home: https://github.com/OpenSIPS/opensips
Commit: d21d7061bcfcb6cb588006e42b486edbcbbb5b8a
https://github.com/OpenSIPS/opensips/commit/d21d7061bcfcb6cb588006e42b486edbcbbb5b8a
Author: Liviu Chircu <liviu at opensips.org>
Date: 2022-11-17 (Thu, 17 Nov 2022)
Changed paths:
M serialize.c
Log Message:
-----------
next_branches(): Fix bugs leading to READ on freed shared memory
This patch fixes two code paths leading to the @avp pointer being freed,
after which the dangling pointer is read afterwards by the
search_next_avp() function at the "done" goto label. This will work
99% of the time, until the 1% where it won't (crash and burn!).
Many thanks to Richard Revels (@rrevels-bw) and Sebastien Couture for
an accurate report, as well as their involvement in troubleshooting!
Fixes #2446
Fixes #2950
(cherry picked from commit 578fc2907374477449313c36e4fc3287701de800)
Commit: e9be2fcc7666b2d07f4d0ed3df1a14e68d623744
https://github.com/OpenSIPS/opensips/commit/e9be2fcc7666b2d07f4d0ed3df1a14e68d623744
Author: Liviu Chircu <liviu at opensips.org>
Date: 2022-11-17 (Thu, 17 Nov 2022)
Changed paths:
M serialize.c
Log Message:
-----------
next_branches(): Fix infinite looping during error handling
If someone has actually taken the time to corrupt the internal
"$avp(serial_branch)" AVP, do not perform the "infinite while loop dance"
and correctly progress to the next AVP.
(cherry picked from commit 244cc92919c1cd6b3bf6a52bd4325b0268c88c76)
Compare: https://github.com/OpenSIPS/opensips/compare/e3b4dbf2a298...e9be2fcc7666
More information about the Devel
mailing list