[OpenSIPS-Devel] [OpenSIPS/opensips] dfd2ee: next_branches(): Fix bugs leading to READ on freed...
Liviu Chircu
noreply at github.com
Thu Nov 17 07:35:27 UTC 2022
Branch: refs/heads/2.4
Home: https://github.com/OpenSIPS/opensips
Commit: dfd2ee7e6f0694901d50131a1fc957f461a3ec59
https://github.com/OpenSIPS/opensips/commit/dfd2ee7e6f0694901d50131a1fc957f461a3ec59
Author: Liviu Chircu <liviu at opensips.org>
Date: 2022-11-17 (Thu, 17 Nov 2022)
Changed paths:
M serialize.c
Log Message:
-----------
next_branches(): Fix bugs leading to READ on freed shared memory
This patch fixes two code paths leading to the @avp pointer being freed,
after which the dangling pointer is read afterwards by the
search_next_avp() function at the "done" goto label. This will work
99% of the time, until the 1% where it won't (crash and burn!).
Many thanks to Richard Revels (@rrevels-bw) and Sebastien Couture for
an accurate report, as well as their involvement in troubleshooting!
Fixes #2446
Fixes #2950
(cherry picked from commit 578fc2907374477449313c36e4fc3287701de800)
Commit: b9d326cce5117a4ed253d6f4e526eff0b4dbbca3
https://github.com/OpenSIPS/opensips/commit/b9d326cce5117a4ed253d6f4e526eff0b4dbbca3
Author: Liviu Chircu <liviu at opensips.org>
Date: 2022-11-17 (Thu, 17 Nov 2022)
Changed paths:
M serialize.c
Log Message:
-----------
next_branches(): Fix infinite looping during error handling
If someone has actually taken the time to corrupt the internal
"$avp(serial_branch)" AVP, do not perform the "infinite while loop dance"
and correctly progress to the next AVP.
(cherry picked from commit 244cc92919c1cd6b3bf6a52bd4325b0268c88c76)
Compare: https://github.com/OpenSIPS/opensips/compare/db58e416df38...b9d326cce511
More information about the Devel
mailing list