[OpenSIPS-Devel] [OpenSIPS/opensips] 014893: aaa_diameter: Fix race condition with async dm_sen...

Liviu Chircu noreply at github.com
Fri Apr 17 16:24:46 UTC 2026 

  Branch: refs/heads/master
  Home:   https://github.com/OpenSIPS/opensips
  Commit: 01489359c8b528d1cbb5eab1a5c452071a35060a
      https://github.com/OpenSIPS/opensips/commit/01489359c8b528d1cbb5eab1a5c452071a35060a
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2026-04-17 (Fri, 17 Apr 2026)

  Changed paths:
    M modules/aaa_diameter/aaa_diameter.c
    M modules/aaa_diameter/dm_impl.c
    M modules/aaa_diameter/dm_impl.h

  Log Message:
  -----------
  aaa_diameter: Fix race condition with async dm_send_request()

- Avoid reading the @dmsg after it has been put on the queue, as it
might get freed meanwhile.

* aaa_diameter: Fix race condition on pending async replies

It was possible for the dm_send_request_async_tout() async timeout
function to ran concurrently with a late Diameter server reply, leading
to a use-after-free bug on the @cond struct.

* Add refcounting to the "cond" object

The SHM-stored @cond object is effectively referenced by two separate
processes/threads, which run concurrently:
    - dm_send_request_async_tout(), the reactor async timeout callback
    - dm_receive_msg(), the libfdcore receiver thread(s)


  Commit: ce2c9642d8727f700133461c26e1a4826ddc303d
      https://github.com/OpenSIPS/opensips/commit/ce2c9642d8727f700133461c26e1a4826ddc303d
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2026-04-17 (Fri, 17 Apr 2026)

  Changed paths:
    M lib/cJSON.c
    M modules/aaa_diameter/dm_impl.c

  Log Message:
  -----------
  aaa_diameter: Fix possible PKG/SHM mixup across multiple threads

Despite quite safe at a first glance, the following sequence is actually
NOT safe to use in the modules/aaa_diameter multi-threaded codebase:

    cJSON_InitHooks(&shm_mem_hooks);
    ... perform lib/cJSON.c API operations ...
    cJSON_InitHooks(NULL);

Example: the "diameter-peer" multi-threaded process (35 threads!)
processes two dm_receive_msg() in parallel.  The 1st thread resets the
"shm_mem_hooks" back to PKG using the NULL argument, while the 2nd
thread still assumes they are set to SHM functions, and mixes up memory.


Compare: https://github.com/OpenSIPS/opensips/compare/6c7d6bf0eca0...ce2c9642d872

To unsubscribe from these emails, change your notification settings at https://github.com/OpenSIPS/opensips/settings/notifications

More information about the Devel mailing list