Home Explore Help
Sign In
Kamailio
/
kamailio
mirror of https://github.com/kamailio/kamailio.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

core: fix fixup_spve_* reuse after free

- fixup_spve_* functions have an optimization that checks if a
a parsed format is a simple string and if this happens it frees
the fixed param an re-does the fixup with type==string.
However when freeing the result of the first fixup the original
string was freed too and the next string fixup would be
called with freed memory instead of a valid string.
(this bug was hidden before the memleak fix in af8f3e1536d)
Andrei Pelinescu-Onciul 16 years ago
parent
e79a572382
commit
c6e33a080b
1 changed files with 2 additions and 1 deletions
Unified View Show Diff Stats
  1. 2 1
      mod_fix.c

+ 2 - 1
mod_fix.c
View File 

@@ -197,7 +197,6 @@ FIXUP_F2FP_T(igp_pvar_pvar, 1, 3, 1, FPARAM_INT|FPARAM_PVS, FPARAM_PVS)
 
 		int ret; \
 
 		int ret; \
 
 		char * bkp; \
 
 		char * bkp; \
 
 		fparam_t* fp; \
 
 		fparam_t* fp; \
 
-		bkp=*param; \
 
 		if (param_no<=(no1)){ \
 
 		if (param_no<=(no1)){ \
 
 			if ((ret=fix_param_types(FPARAM_PVE, param))<0){ \
 
 			if ((ret=fix_param_types(FPARAM_PVE, param))<0){ \
 
 				ERR("Cannot convert function parameter %d to" #type2 "\n", \
 
 				ERR("Cannot convert function parameter %d to" #type2 "\n", \
 
@@ -206,6 +205,8 @@ FIXUP_F2FP_T(igp_pvar_pvar, 1, 3, 1, FPARAM_INT|FPARAM_PVS, FPARAM_PVS)
 
 			} else{ \
 
 			} else{ \
 
 				fp=(fparam_t*)*param; \
 
 				fp=(fparam_t*)*param; \
 
 				if ((ret==0) && (fp->v.pve->spec.getf==0)){ \
 
 				if ((ret==0) && (fp->v.pve->spec.getf==0)){ \
 
+					bkp=fp->orig; \
 
+					fp->orig=0; /* make sure orig string is not freed */ \
 
 					fparam_free_contents(fp); \
 
 					fparam_free_contents(fp); \
 
 					pkg_free(fp); \
 
 					pkg_free(fp); \
 
 					*param=bkp; \
 
 					*param=bkp; \