modules_k/pua: Last fix (PUA memory leaks) caused crashes in hash-table mode

- Fix by Paul Pankhurst @ Crocodile RCS

modules_k/pua/send_publish.c

@@ -341,7 +341,7 @@ void publ_cback_func(struct cell *t, int type, struct tmcb_params *ps)
 	}
 	size= sizeof(ua_pres_t)+ sizeof(str)+ 
 		(hentity->pres_uri->len+ hentity->tuple_id.len + 
-		 hentity->id.len + etag.len)* sizeof(char);
+		 hentity->id.len)* sizeof(char);
 	if(hentity->extra_headers)
 		size+= sizeof(str)+ hentity->extra_headers->len* sizeof(char);
 
@@ -391,10 +391,14 @@ void publ_cback_func(struct cell *t, int type, struct tmcb_params *ps)
 	presentity->flag|= hentity->flag;
 	presentity->event|= hentity->event;
 
-	presentity->etag.s= (char*)presentity+ size;
+	presentity->etag.s= (char*)shm_malloc(etag.len* sizeof(char));
+	if(presentity->etag.s== NULL)
+	{
+		LM_ERR("No more share memory\n");
+		goto error;
+	}
 	memcpy(presentity->etag.s, etag.s, etag.len);
 	presentity->etag.len= etag.len;
-	size+= presentity->etag.len;
 
 	if (dbmode==PUA_DB_ONLY)
 	{
@@ -417,7 +421,10 @@ done:
 		*ps->param= NULL;
 	}
 	if(dbmode==PUA_DB_ONLY && presentity)
+	{
+		shm_free(presentity->etag.s);
 		shm_free(presentity);
+	}
 
 	free_results_puadb(res);
 	return;

modules_k/pua/send_subscribe.c

@@ -564,7 +564,7 @@ void subs_cback_func(struct cell *t, int cb_type, struct tmcb_params *ps)
 	size= sizeof(ua_pres_t)+ 2*sizeof(str)+( pto->uri.len+
 		pfrom->uri.len+ pto->tag_value.len+ pfrom->tag_value.len
 		+msg->callid->body.len+ record_route.len+ hentity->contact.len+
-		hentity->id.len + contact.len)*sizeof(char);
+		hentity->id.len )*sizeof(char);
 
 	if(hentity->extra_headers)
 		size+= sizeof(str)+ hentity->extra_headers->len*sizeof(char);
@@ -653,10 +653,13 @@ void subs_cback_func(struct cell *t, int cb_type, struct tmcb_params *ps)
 	}
 
 	/* write the remote contact filed */
-	presentity->remote_contact.s= (char*)presentity+ size;
+	presentity->remote_contact.s= (char*)shm_malloc(contact.len* sizeof(char));
+	if(presentity->remote_contact.s== NULL)
+	{
+		ERR_MEM(SHARE_MEM);
+	}
 	memcpy(presentity->remote_contact.s, contact.s, contact.len);
 	presentity->remote_contact.len= contact.len;
-	size+= presentity->remote_contact.len;
 
 	presentity->event|= hentity->event;
 	presentity->flag= hentity->flag;
@@ -693,7 +696,11 @@ error:
 		if (presentity!=NULL)
 		{
 			delete_temporary_dialog_puadb(presentity);
-			if (need_to_free) shm_free(presentity);
+			if (need_to_free)
+			{
+				if (presentity->remote_contact.s) shm_free(presentity->remote_contact.s);
+				shm_free(presentity);
+			}
 		}
 	}
 	else