[OpenSIPS-Devel] [OpenSIPS/opensips] f8cc1d: aaa_diameter: always release reply cJSON regardles...

Ravitez Dondeti noreply at github.com
Thu Jun 18 15:53:30 UTC 2026 

  Branch: refs/heads/4.0
  Home:   https://github.com/OpenSIPS/opensips
  Commit: f8cc1da01480743d6cf8bce120489b7a4788016d
      https://github.com/OpenSIPS/opensips/commit/f8cc1da01480743d6cf8bce120489b7a4788016d
  Author: dondetir <ravitez.dondeti at gmail.com>
  Date:   2026-06-18 (Thu, 18 Jun 2026)

  Changed paths:
    M modules/aaa_diameter/aaa_diameter.c

  Log Message:
  -----------
  aaa_diameter: always release reply cJSON regardless of output PV

_dm_release_message_response() is the only function that frees the
SHM-backed cJSON reply tree (cond->rpl.json).  In dm_send_request(),
the release call was gated inside "if (rpl_avps_pv)", so every call
without an output PV leaked the entire SHM cJSON tree.

The same issue existed in dm_send_request_async_reply(): the release
was guarded by "if (rpl_avps)", which was NULL both when no output PV
was configured and on the read() failure path — even though the reply
callback had already populated cond->rpl.json.

_dm_release_message_response() safely handles a NULL rpl_avps argument
(cJSON_PurgeString is a no-op on NULL), so removing both guards is safe.

Found during a systematic audit of dm_send_request() paths following
commit 1e8001fa0.

(cherry picked from commit f40e0dab7ef48010526ef0f7dd2c77d0215b1ceb)


  Commit: d6543cc31f4bbc5d4f93d264b4ddb541633046b6
      https://github.com/OpenSIPS/opensips/commit/d6543cc31f4bbc5d4f93d264b4ddb541633046b6
  Author: dondetir <ravitez.dondeti at gmail.com>
  Date:   2026-06-18 (Thu, 18 Jun 2026)

  Changed paths:
    M modules/aaa_diameter/dm_impl.c

  Log Message:
  -----------
  aaa_diameter: fix double-free of cJSON item in dm_avps2json()

After cJSON_AddItemToArray(avps, item) transfers ownership of item to
avps, item is not cleared.  Any subsequent FD_CHECK_GT failure in the
same or next loop iteration jumps to the out: label, which calls
cJSON_Delete(item) — freeing memory already owned by avps.

This double-free corrupts the SHM heap, affecting all worker processes.
The affected paths include:
  - FD_CHECK_GT(fd_msg_browse()) at the skip: label (next-iteration
    advance)
  - FD_CHECK_GT(fd_msg_avp_hdr()) and FD_CHECK_GT(fd_dict_getval())
    at the start of the next iteration

Fix: clear item immediately after the ownership transfer so that any
later cJSON_Delete(item) at out: is a safe no-op.

Found during a systematic audit following commit 1e8001fa0.

(cherry picked from commit 7fef0814dac887ad1041af97ccf4ac1ff457550a)


Compare: https://github.com/OpenSIPS/opensips/compare/ceaf78aab04e...d6543cc31f4b

To unsubscribe from these emails, change your notification settings at https://github.com/OpenSIPS/opensips/settings/notifications

More information about the Devel mailing list