<p>In sip_msg_cloner() if updatable=0 reply_lump is placed inside the same chunk as new_msg,<br>
if updatable&gt;0 reply_lump is allocated.<br>
But later in free_faked_req() code does not distinguish how reply_lump has been set up.<br>
We hit into call shm_free(faked_req-&gt;reply_lump) with faked_req-&gt;reply_lump pointing inside whole facked_req.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br>Reply to this email directly or <a href="https://github.com/OpenSIPS/opensips/issues/484#issuecomment-97607715">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AFOciWb5QYUiw1QOY-mHtFIkbStek7Vlks5oEVW3gaJpZM4ELmBx.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
  <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
    <link itemprop="url" href="https://github.com/OpenSIPS/opensips/issues/484#issuecomment-97607715"></link>
    <meta itemprop="name" content="View Issue"></meta>
  </div>
  <meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>