[OpenSIPS-Devel] [OpenSIPS/opensips] b74738: cachedb_memcached: fix NULL deref when memcached_c...
Ravitez Dondeti
noreply at github.com
Tue Apr 7 15:46:35 UTC 2026
Branch: refs/heads/3.6
Home: https://github.com/OpenSIPS/opensips
Commit: b747385d40a3b89a3fe480ef21fc0e9d62d4c408
https://github.com/OpenSIPS/opensips/commit/b747385d40a3b89a3fe480ef21fc0e9d62d4c408
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/cachedb_memcached/cachedb_memcached.c
Log Message:
-----------
cachedb_memcached: fix NULL deref when memcached_create() returns NULL
memcached_create(NULL) can return NULL on allocation failure. The existing
code never checks the return value, so a NULL memc pointer falls through to
memcached_server_push(NULL, ...) which dereferences the NULL pointer.
Add an explicit NULL check after memcached_create(), following the existing
error-handling pattern in the function (pkg_free + return 0).
Found during a systematic audit of cachedb backends following the
cachedb_redis NULL-deref fix in commit 8fb569cb3.
(cherry picked from commit 9fea57eeaf5c687f49a952692b2b7530ec66a7ee)
Commit: e7c8bf089a55478f2d5442fb5ce1bd6a5280038d
https://github.com/OpenSIPS/opensips/commit/e7c8bf089a55478f2d5442fb5ce1bd6a5280038d
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/cachedb_cassandra/cachedb_cassandra_dbase.c
Log Message:
-----------
cachedb_cassandra: fix NULL deref when cass_cluster_new() returns NULL
cass_cluster_new() can return NULL on allocation failure. The existing code
has a NULL check, but it comes after cass_cluster_set_credentials() already
uses the pointer (when credentials are configured), so a NULL return causes
a crash before the check is reached.
Move the NULL check to immediately after cass_cluster_new(), before any use
of the returned pointer.
Found during a systematic audit of cachedb backends following the
cachedb_redis NULL-deref fix in commit 8fb569cb3.
(cherry picked from commit 8f959e73c79bf42d06ce2ee7406a80ab9edb8ca1)
Commit: dbc832f7fc43defff5ed28ed89fe32d2f8e8fcd1
https://github.com/OpenSIPS/opensips/commit/dbc832f7fc43defff5ed28ed89fe32d2f8e8fcd1
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/jsonrpc/jsonrpc.c
Log Message:
-----------
jsonrpc: fix NULL deref and object leak in jsonrpc_handle_cmd()
cJSON_Print() can return NULL on allocation failure. The existing code
passes the return value directly to strlen() without a NULL check,
causing a crash on two separate code paths (error and result handling).
Add NULL checks after both cJSON_Print() calls.
Additionally, the cJSON tree allocated by cJSON_Parse() at the start of
the function is never freed. Add cJSON_Delete(obj) to the cleanup path.
Found during a systematic audit of cJSON return value handling across
modules, following the janus leak fixes in commit f9fb3ea3e.
(cherry picked from commit 6fc6acac8e8a669655d92346a8ad61af16671274)
Commit: c48de598e04018f2463015f3ec5ed60755f367a9
https://github.com/OpenSIPS/opensips/commit/c48de598e04018f2463015f3ec5ed60755f367a9
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/rtpengine/rtpengine.c
Log Message:
-----------
rtpengine: fix NULL deref from unchecked cJSON_PrintUnformatted()
In rtpengine_raise_event(), cJSON_PrintUnformatted() can return NULL on
allocation failure. The return value is passed directly to strlen() and
then to cJSON_PurgeString(), both of which will crash on a NULL pointer.
Add a NULL check before using the return value, and skip the parameter
on failure.
Found during a systematic audit of cJSON return value handling across
modules, following the janus leak fixes in commit f9fb3ea3e.
(cherry picked from commit cf5fb629cc08fc4c20b105df0a6131f5574e7f66)
Commit: 8e1512e30d76cc5efb67f71189a5877d6e268bfb
https://github.com/OpenSIPS/opensips/commit/8e1512e30d76cc5efb67f71189a5877d6e268bfb
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/aaa_diameter/dm_impl.c
Log Message:
-----------
aaa_diameter: fix NULL deref in dm_receive_req() via init_str()
cJSON_PrintUnformatted() can return NULL on allocation failure (using shm
hooks). The return value is passed directly to init_str(), which calls
strlen() on it, causing a crash.
Replace the init_str() call with an explicit NULL check and manual
assignment, following the existing error-handling pattern in the function
(goto error, which properly cleans up via cJSON_Delete and
cJSON_PurgeString).
Found during a systematic audit of cJSON return value handling across
modules, following the janus leak fixes in commit f9fb3ea3e.
(cherry picked from commit c304b6ef00566dac8e51858d7ba1ec97bbf53601)
Commit: 5fd25d424b9050f4e4f52dd2bcec5d57d6597650
https://github.com/OpenSIPS/opensips/commit/5fd25d424b9050f4e4f52dd2bcec5d57d6597650
Author: rdondeti <ravitez.dondeti at gmail.com>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M modules/janus/janus_common.c
Log Message:
-----------
janus: fix pkg memory leaks in populate_janus_handler_id()
The janus module uses cJSON_InitHooks() to route cJSON allocations
through pkg_malloc. In populate_janus_handler_id(), four calls to
cJSON_Print(request) are embedded directly in LM_ERR() format arguments.
The pkg-allocated return values are never stored or freed, leaking
~100-500 bytes per error path hit.
Store the cJSON_Print() result, use it in the log message, and free it
afterward. Also handle the case where cJSON_Print() returns NULL.
This follows up on the janus leak fixes in commit f9fb3ea3e, which
addressed similar leaks in janus_raise_event(),
handle_janus_json_request(), and janus_ipc_send_request() but missed
populate_janus_handler_id().
(cherry picked from commit 2453e8f78a2c69a5f207681805d0e5866eb0b5ae)
Compare: https://github.com/OpenSIPS/opensips/compare/eb0b0e4195d2...5fd25d424b90
To unsubscribe from these emails, change your notification settings at https://github.com/OpenSIPS/opensips/settings/notifications
More information about the Devel
mailing list