Browse code

uac: do not free chunks already inserted as lumps

- in case of errors happening later, the pointers are linked in
sip_msg_t and will be freed there, otherwise will result in a double
free

Daniel-Constantin Mierla authored on 06/04/2021 10:17:35
Showing 1 changed files
... ...
@@ -875,7 +875,7 @@ static void replace_callback(struct dlg_cell *dlg, int type,
875 875
 	str old_uri;
876 876
 	str* new_uri;
877 877
 	str* new_display;
878
-	str buf;
878
+	str buf = STR_NULL;
879 879
 	char *p;
880 880
 	unsigned int uac_flag;
881 881
 	int dlgvar_index = 0;
... ...
@@ -968,11 +968,13 @@ static void replace_callback(struct dlg_cell *dlg, int type,
968 968
 		buf.len = new_display->len;
969 969
 		if (l==0 && (l=get_display_anchor(msg, hdr, body, &buf)) == 0) {
970 970
 			LM_ERR("failed to insert anchor\n");
971
-			goto free1;
971
+			pkg_free(buf.s);
972
+			return;
972 973
 		}
973 974
 		if (insert_new_lump_after(l, buf.s, buf.len, 0) == 0) {
974 975
 			LM_ERR("insert new display lump failed\n");
975
-			goto free1;
976
+			pkg_free(buf.s);
977
+			return;
976 978
 		}
977 979
 	}
978 980
 
... ...
@@ -980,20 +982,22 @@ static void replace_callback(struct dlg_cell *dlg, int type,
980 982
 	p = pkg_malloc( new_uri->len);
981 983
 	if (!p) {
982 984
 		PKG_MEM_ERROR;
983
-		goto free1;
985
+		return;
984 986
 	}
985
-	memcpy( p, new_uri->s, new_uri->len);
987
+	memcpy(p, new_uri->s, new_uri->len);
986 988
 
987 989
 	/* build del/add lumps */
988
-	l = del_lump( msg, old_uri.s-msg->buf, old_uri.len, 0);
990
+	l = del_lump(msg, old_uri.s-msg->buf, old_uri.len, 0);
989 991
 	if (l==0) {
990 992
 		LM_ERR("del lump failed\n");
991
-		goto free2;
993
+		pkg_free(p);
994
+		return;
992 995
 	}
993 996
 
994 997
 	if (insert_new_lump_after( l, p, new_uri->len, 0)==0) {
995 998
 		LM_ERR("insert new lump failed\n");
996
-		goto free2;
999
+		pkg_free(p);
1000
+		return;
997 1001
 	}
998 1002
 
999 1003
 	/* register tm callback to change replies,
... ...
@@ -1007,12 +1011,6 @@ static void replace_callback(struct dlg_cell *dlg, int type,
1007 1011
 	msg->msg_flags |= uac_flag;
1008 1012
 
1009 1013
 	return;
1010
-
1011
-free2:
1012
-	pkg_free(p);
1013
-
1014
-free1:
1015
-	pkg_free(buf.s);
1016 1014
 }
1017 1015
 
1018 1016