[OpenSIPS-Devel] [OpenSIPS/opensips] 32c1cb: rtpengine: fix use-after-free of flags string in b...
Norm Brandinger
noreply at github.com
Fri Apr 17 13:49:01 UTC 2026
Branch: refs/heads/3.6
Home: https://github.com/OpenSIPS/opensips
Commit: 32c1cba6a14e9378c6e1b94c6b6dcaa25500dd7a
https://github.com/OpenSIPS/opensips/commit/32c1cba6a14e9378c6e1b94c6b6dcaa25500dd7a
Author: Norm Brandinger <n.brandinger at gmail.com>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
M modules/rtpengine/rtpengine.c
Log Message:
-----------
rtpengine: fix use-after-free of flags string in bencode dictionary (#3816)
parse_flags() stores pointers into the pkg-allocated flags_nt.s buffer
via bencode_str() and bencode_dictionary_add_len(), which hold references
(not copies). The buffer was freed via pkg_free() before
send_rtpe_command() serialized the dictionary, causing garbled output
for key=value flags like media-address.
Fix by deferring the free via bencode_buffer_destroy_add(), which
ensures the buffer lives until bencode_buffer_free() is called after
the command is sent.
Fixes: https://github.com/OpenSIPS/opensips/issues/3784
(cherry picked from commit c78b9e908b2896efbef3f7b0f9a111c4399ac34a)
To unsubscribe from these emails, change your notification settings at https://github.com/OpenSIPS/opensips/settings/notifications
More information about the Devel
mailing list