[OpenSIPS-Devel] [OpenSIPS/opensips] 6fc6ac: jsonrpc: fix NULL deref and object leak in jsonrpc...
Ravitez Dondeti
noreply at github.com
Tue Apr 7 15:05:33 UTC 2026
Branch: refs/heads/master
Home: https://github.com/OpenSIPS/opensips
Commit: 6fc6acac8e8a669655d92346a8ad61af16671274
https://github.com/OpenSIPS/opensips/commit/6fc6acac8e8a669655d92346a8ad61af16671274
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/jsonrpc/jsonrpc.c
Log Message:
-----------
jsonrpc: fix NULL deref and object leak in jsonrpc_handle_cmd()
cJSON_Print() can return NULL on allocation failure. The existing code
passes the return value directly to strlen() without a NULL check,
causing a crash on two separate code paths (error and result handling).
Add NULL checks after both cJSON_Print() calls.
Additionally, the cJSON tree allocated by cJSON_Parse() at the start of
the function is never freed. Add cJSON_Delete(obj) to the cleanup path.
Found during a systematic audit of cJSON return value handling across
modules, following the janus leak fixes in commit f9fb3ea3e.
Commit: cf5fb629cc08fc4c20b105df0a6131f5574e7f66
https://github.com/OpenSIPS/opensips/commit/cf5fb629cc08fc4c20b105df0a6131f5574e7f66
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/rtpengine/rtpengine.c
Log Message:
-----------
rtpengine: fix NULL deref from unchecked cJSON_PrintUnformatted()
In rtpengine_raise_event(), cJSON_PrintUnformatted() can return NULL on
allocation failure. The return value is passed directly to strlen() and
then to cJSON_PurgeString(), both of which will crash on a NULL pointer.
Add a NULL check before using the return value, and skip the parameter
on failure.
Found during a systematic audit of cJSON return value handling across
modules, following the janus leak fixes in commit f9fb3ea3e.
Commit: c304b6ef00566dac8e51858d7ba1ec97bbf53601
https://github.com/OpenSIPS/opensips/commit/c304b6ef00566dac8e51858d7ba1ec97bbf53601
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/aaa_diameter/dm_impl.c
Log Message:
-----------
aaa_diameter: fix NULL deref in dm_receive_req() via init_str()
cJSON_PrintUnformatted() can return NULL on allocation failure (using shm
hooks). The return value is passed directly to init_str(), which calls
strlen() on it, causing a crash.
Replace the init_str() call with an explicit NULL check and manual
assignment, following the existing error-handling pattern in the function
(goto error, which properly cleans up via cJSON_Delete and
cJSON_PurgeString).
Found during a systematic audit of cJSON return value handling across
modules, following the janus leak fixes in commit f9fb3ea3e.
Commit: 2453e8f78a2c69a5f207681805d0e5866eb0b5ae
https://github.com/OpenSIPS/opensips/commit/2453e8f78a2c69a5f207681805d0e5866eb0b5ae
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/janus/janus_common.c
Log Message:
-----------
janus: fix pkg memory leaks in populate_janus_handler_id()
The janus module uses cJSON_InitHooks() to route cJSON allocations
through pkg_malloc. In populate_janus_handler_id(), four calls to
cJSON_Print(request) are embedded directly in LM_ERR() format arguments.
The pkg-allocated return values are never stored or freed, leaking
~100-500 bytes per error path hit.
Store the cJSON_Print() result, use it in the log message, and free it
afterward. Also handle the case where cJSON_Print() returns NULL.
This follows up on the janus leak fixes in commit f9fb3ea3e, which
addressed similar leaks in janus_raise_event(),
handle_janus_json_request(), and janus_ipc_send_request() but missed
populate_janus_handler_id().
Compare: https://github.com/OpenSIPS/opensips/compare/8f959e73c79b...2453e8f78a2c
To unsubscribe from these emails, change your notification settings at https://github.com/OpenSIPS/opensips/settings/notifications
More information about the Devel
mailing list