[OpenSIPS-Devel] [OpenSIPS/opensips] 7e5a8f: dialog: fix use-after-free and race in cluster rep...
Bogdan Andrei IANCU
noreply at github.com
Tue May 26 09:21:44 UTC 2026
Branch: refs/heads/master
Home: https://github.com/OpenSIPS/opensips
Commit: 7e5a8fd16e7171ab02084a0f090977e8440c40f5
https://github.com/OpenSIPS/opensips/commit/7e5a8fd16e7171ab02084a0f090977e8440c40f5
Author: Norm Brandinger <NormB at users.noreply.github.com>
Date: 2026-05-21 (Thu, 21 May 2026)
Changed paths:
M modules/dialog/dlg_db_handler.c
M modules/dialog/dlg_replication.c
Log Message:
-----------
dialog: fix use-after-free and race in cluster replication
Fix three bugs triggered when SIP-I messages with binary ISUP data
are replicated across a dialog cluster with reinvite pinging enabled.
1. dlg_replicated_create: after _link_dlg_unsafe() links the dialog
into the hash table, subsequent DLG_BIN_POP failures jumped to
pre_linking_error which calls destroy_dlg() without unlinking.
This leaves a dangling pointer in the hash chain — other workers
dereference freed memory (GPF). Add post_linking_error label that
calls unlink_unsafe_dlg() before destroy.
2. write_dialog_vars: the read lock on vals_lock was released between
the sizing pass and the write pass. A concurrent store_dlg_value()
(e.g. from persist_reinvite_pinging storing multipart SDP+ISUP
bodies) can modify the vals list in between, causing a buffer
overflow and corrupted serialization. Hold the read lock through
both passes.
3. strip_esc: when len==1 and *c is backslash, *(c+1) reads one byte
past the string. Add len>1 guard.
Closes #3858
Commit: 8dfadbbb8e8f3b5f81ea5a257fc66d7a0ab48da3
https://github.com/OpenSIPS/opensips/commit/8dfadbbb8e8f3b5f81ea5a257fc66d7a0ab48da3
Author: OpenSIPS <github at opensips.org>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M modules/aaa_diameter/README
M modules/aaa_diameter/doc/contributors.xml
M modules/b2b_entities/README
M modules/b2b_entities/doc/contributors.xml
M modules/b2b_logic/README
M modules/b2b_logic/doc/contributors.xml
M modules/clusterer/README
M modules/clusterer/doc/contributors.xml
M modules/compression/README
M modules/compression/doc/contributors.xml
M modules/httpd/README
M modules/httpd/doc/contributors.xml
M modules/mid_registrar/README
M modules/mid_registrar/doc/contributors.xml
M modules/pi_http/README
M modules/pi_http/doc/contributors.xml
M modules/proto_hep/README
M modules/proto_hep/doc/contributors.xml
M modules/proto_smpp/README
M modules/proto_smpp/doc/contributors.xml
M modules/registrar/README
M modules/registrar/doc/contributors.xml
M modules/rr/README
M modules/rr/doc/contributors.xml
M modules/rtpengine/README
M modules/rtpengine/doc/contributors.xml
M modules/topology_hiding/README
M modules/topology_hiding/doc/contributors.xml
M modules/usrloc/README
M modules/usrloc/doc/contributors.xml
Log Message:
-----------
Rebuild documentation
Commit: ea4b7f7babe17d9dfb76ed5e2fc592398813ab29
https://github.com/OpenSIPS/opensips/commit/ea4b7f7babe17d9dfb76ed5e2fc592398813ab29
Author: Bogdan-Andrei Iancu <bogdan at opensips.org>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M modules/dialog/dlg_db_handler.c
Log Message:
-----------
[dialog] optimize the test (as order of tests)
Commit: 7a24559d6bf2dcff0ebdfc3565e27b20e0ad40a2
https://github.com/OpenSIPS/opensips/commit/7a24559d6bf2dcff0ebdfc3565e27b20e0ad40a2
Author: Bogdan-Andrei Iancu <bogdan at opensips.org>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M modules/dialog/dlg_db_handler.c
Log Message:
-----------
[dialog] simplify the unlock sequance
Commit: ffff08b4c5e62f427586c07bc3de648fe42458e7
https://github.com/OpenSIPS/opensips/commit/ffff08b4c5e62f427586c07bc3de648fe42458e7
Author: Bogdan-Andrei Iancu <bogdan at opensips.org>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M modules/dialog/dlg_replication.c
Log Message:
-----------
[dialog] avoid code duplicate, allow falling thru the next label
Commit: 3b307e6057e04e2422f40f25d66305e8eba08fbb
https://github.com/OpenSIPS/opensips/commit/3b307e6057e04e2422f40f25d66305e8eba08fbb
Author: Bogdan-Andrei Iancu <bogdan at opensips.org>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M modules/dialog/dlg_db_handler.c
M modules/dialog/dlg_replication.c
Log Message:
-----------
Merge branch 'NormB-fix/dialog-cluster-sipi-crash'
Compare: https://github.com/OpenSIPS/opensips/compare/74800c5e19b9...3b307e6057e0
To unsubscribe from these emails, change your notification settings at https://github.com/OpenSIPS/opensips/settings/notifications
More information about the Devel
mailing list